Re: Re-login if authenticated after session has expired

I think there is some confusion here. The expiration of a forms-based
authentication ticket and the user's session state are not related. They
are governed by two separate systems and two separate cookies. The user's
session state can expire completely independently of their forms-based login
status, and vice versa.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<peter@xxxxxxxxxxxxxx> wrote in message
news:1158887648.256649.178040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have the requirement to allow users to log in just once per day even
if their session has expired. Sessions are set to 30 minutes, and I'm
using forms authentication.

I had this working nicely under .NET 1.1. Once authenticated, I wrote a
persistent authentication cookie that timed out at 8:00 pm. In the
Session_Start handler in global.asax I check if the user is
authenticated and if so, I then run a quick check on the User's name
(stored in HttpContext.Current.User.Identity.Name) and if everything's
OK then I issue a new authentication cookie using GetAuthCookie and
re-create my session variables. This keeps everyone logged in until
8:00 pm; after that they have to login again.

However, this isn't working under .NET 2.0. Once the session has
expired users get sent to the login page. I think this is because the
way Session_Start fires has changed under 2.0, and it doesn't get
created until a value is actually written into the Session object.

Does anyone know of a workaround for this, or a better way of handling
this situation; ie how to manage longer authentications than sessions
under .NET 2.0, and be able to detect when this happens before the user
gets redirected to the login page (so I can recreate my session
variables)?

Hope this makes sense!

Thanks

Peter Cooper



.

Relevant Pages

  • Re: Force Relogin. IIS6, ASP.NET app, IE6+ browser
    ... now it appears you are suggesting I either write a custom authentication ... cookies/tokens involved; IIS has no idea what a session is; IIS does ... not prompt with a login dialog. ... The problem you face is that a browser will automatically attempt ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to implement a automatic login function
    ... If you do not like the API, you can create MembershipUser objects and attach to an ongoing session. ... now I am using a asp.net login control and a customized membership provider to do the form authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: HELP Connection error on Release mode
    ... "Off" Always display detailed ASP.NET error information. ... This section sets the authentication policies of the application. ... Set trace enabled="true" to enable application trace logging. ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Forms authentication BIG issue
    ... Forms authentication does not relate to session at all, except that they both use cookies to track the user, so changing session will have no effect on the forms authentication. ... I'd suggest on your login page to check to see if the user is logged in and if so show their current login on the form. ... I hit some* "server side" link button or button (or any other ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Session Fixation Vulnerability in Web-based Applications
    ... session, without modifying the way servers generate session ID's is as ... Think of the http server generated sessions as "UI Sessions" and as ... no impact on authentication. ... "authentication key" for this domain (usually in the form of a new ...
    (NT-Bugtraq)