Re: Question about redirecting to a "session expired" page...
From: John Smith (no_one_home_at_hotmail.com)
Date: 05/20/04
- Next message: jzhu: "Re: Role based security and Domains"
- Previous message: Janaka: "Re: Session variables in asp.net"
- In reply to: Joseph E Shook [MVP - ADSI]: "Re: Question about redirecting to a "session expired" page..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 May 2004 08:45:09 -0400
I think that did the trick! You rock dude! :) Thanks.
Final code:
// why are we here? session timeout? user clicked logout? or new
session?
// if auth expiration (ie session timeout)...
// get auth ticket info if it exists
try {
HttpCookie authCookie =
Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket authTicket =
FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket.Expired) {
Response.Write("Session Timedout");
lblLoginError.Text = "Your session has timed out. Please log in again!";
lblLoginError.Visible = true;
}
}
catch (Exception exp) {
// auth ticket probably didn't exist which means this is NOT a session
timeout..ignore
}
// did user click logout?
if (Request.QueryString.ToString().IndexOf("logout") >= 0) {
// remove all session items and the auth ticket
Session.RemoveAll();
FormsAuthentication.SignOut();
lblLoginError.Text = "You have been logged out at your request!";
lblLoginError.Visible = true;
}
"Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
message news:40AC74E1.4010303@deploymentCentric.com...
> You need to get the authticket directly and check it's expired property.
>
> HttpCookie authCookie =
> Context.Request.Cookies(FormsAuthentication.FormsCookieName)
> FormsAuthenticationTicket authTicket =
> FormsAuthentication.Decrypt(authCookie.Value)
> if (authTicket.Expired)
> {
> 'do your thing.
> }
>
> I think that works... I pulled it from a more complicated piece of code
> and didn't test it, but I think you can see that with an expired
> authTicket you would not get a non-anonymous User.Identity populated.
>
>
> John Smith wrote:
>
> > This may sound trivial but I cannot figure out how to do this...
> > When a logged in user's session expires, I want that user redirected
back to
> > the login page with a label that says "session expired". Sounds easy,
eh?
> >
> > First, am I correct in assuming that a session is totally separate from
the
> > "AuthCookie" that gets set when you use the FormsAuthentication class?
They
> > have nothing to do with each other, right? So, if my IIS application is
set
> > to expire Sessions every 20 minutes, that has no affect on the
AuthCookie
> > that I set to timeout every 18 minutes and vice-versa.
> >
> > I just started playing around with <authentication> in my web
application.
> > I had simply been using Session variables to track the session of a
logged
> > in user with the following code that I would put at the top of each
page. I
> > had to use try/catch because, if the session had expired, it would throw
an
> > exception while trying to print the name. If the exception occured,
that
> > means the session expired and it would redirect back to the login page.
The
> > login page tests for the "j=session_timedout" in the querystring and
will
> > display "Sorry, your session timed out!". No problem.
> >
> > try {
> > lblSessionName.Text = Session["name"].ToString();
> > }
> > catch (Exception exp) {
> > Response.Redirect("login.aspx?j=session_timedout");
> > }
> >
> > But I just started REALLY playing around with the built-in
authentication
> > that .net has and I think its much nicer than what I was trying to do.
I
> > have it now using Forms based authentication (web.config):
> >
> > <authentication mode="Forms">
> > <forms loginUrl="/login.aspx" name=".FORMSAUTH" path="/"
> > protection="All" timeout="18" slidingExpiration="true" />
> > </authentication>
> >
> > <authorization>
> > <deny users="?" />
> > </authorization>
> >
> > It validates users against Active Directory by trying to pass the
username
> > and password found in the login.aspx form to a DirectoryEntry object.
If it
> > succeeds, it calls:
> >
> > FormsAuthentication.RedirectFromLoginPage(strUsername,false);
> >
> > After 18 minutes have passed with no activity, the cookie expires and
the
> > user tries to click on a link, it redirects to the login page. All that
> > works fine. The problem is I don't know how to test the AuthCookie for
> > expiration. In the login.aspx page, I need to somehow test to see
whether
> > the user was directed here because of a session timeout (actually the
> > AuthCookie expired). Previously, I had simply been testing the
querystring
> > for "j=session_timedout". But now I can't do that since the redirection
> > happens automatically when the AuthCookie expires. I've tried testing
the
> > AuthCookie for expiration with its "Expire" property:
> >
> > FormsIdentity fiAuthTicket =
> > (FormsIdentity)HttpContext.Current.User.Identity;
> > FormsAuthenticationTicket fatAuthTicket = fiAuthTicket.Ticket;
> >
> > if (fatAuthTicket.Expired) {
> > lblLoginError.Text = "Your session has timed out. Please log in
> > again!";
> > lblLoginError.Visible = true;
> > }
> >
> > but the problem there is that, if the AuthCookie has expired, the
> > User.Identity seems to be set to null because I get an error with:
> >
> > FormsIdentity fiAuthTicket =
> > (FormsIdentity)HttpContext.Current.User.Identity;
> >
> > So that fails and it never prints out "Your session has timed out...".
> >
> > It shouldn't be that hard to do but I can't figure out how to do it.
Any
> > help is appreciated.
> >
> >
> >
- Next message: jzhu: "Re: Role based security and Domains"
- Previous message: Janaka: "Re: Session variables in asp.net"
- In reply to: Joseph E Shook [MVP - ADSI]: "Re: Question about redirecting to a "session expired" page..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
