1

We're using a customer MembershipProvider that needs to go out to a web service to authenticate users. Forms authentication set up in the web.config which then goes to said provider. Once the authentication is complete, we set a custom cookie to store customer name, user full name, etc.

Our problem is this: quite often once the session has timed out when you revisit the site (either on our dev machine or running out of visual studio) you will still see the default home page despite the user not actually being authenticated. The moment you take a different action the site recognizes that the user is invalid and returns you to the login page.

We have a BaseController class that all other Controllers derive from and we've added the [Authorize] attribute to the overridden Execute method, but it doesn't seem to work:

[Authorize] protected override void Execute(System.Web.Routing.RequestContext requestContext)

Is there something simple we are missing in terms of this one unauthenticated page displaying before the site returns to the login page?

user623647
  • 133
  • 2
  • 10
  • 2
    AFAIK, the `[Authorize]` attribute should be added either to the controller class, or to its action methods (those returning `ActionResult`). I've never heard of marking the `Execute()` method with `[Authorize]`. Could it be the issue? – Zruty Nov 18 '11 at 15:51

2 Answers2

1

Several things come to mind. 1. Are you certain the cookie has expired on that very same request the home page shows up on? 2. Are you using any output caching?

  1. Doubtful here but throwing it out unless there is some missing info here: This is assuming you are using something in the session (you mentioned session above) If by session you solely mean forms auth, then this won't help (and please clarify)

Remember that the session timeouts and forms authentication timeouts ARE NOT the same and are handled in a very different manner so you must keep them syncd essentially.

Check out my code here: How can I handle forms authentication timeout exceptions in ASP.NET?

Forms auth timeouts are updated only once half the time has passed. Session timeouts are updated upon every request so the two easily get out of sync.

Community
  • 1
  • 1
Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
0

Out of interest, what happens if you include something like this in the Global.asax?

protected void Session_Start(Object sender, EventArgs e)
{
        if (User.Identity.IsAuthenticated)
        {
                FormsAuthentication.SignOut();
                Response.Redirect("~/SessionEnd.aspx");
        }
}

And I presume the [Authorize] is on the controller methods too is it?

Tom Chantler
  • 14,753
  • 4
  • 48
  • 53