Hi,
This question may have been asked/answered before but I can't find it anywhere. I have a web app that is entirely protected by a login page. On login, I create an non-persistent authentication ticket with a timeout of 10 minutes, wrap it in a cookie, and attach it to the response. Later on (in the Application_AuthenticateRequest event in global.asax) I read the cookie/ticket to extract the user's identity and roles etc. This all works very well. After 10 minutes is up, when the user causes a postback, they are redirected to my login page. Excellent.
Now, I want to detect when the authentication ticket has timed out so I can do two things:
1. Abandon the user's session (because authentication timeout doesn't kill off the session...which is on a different timeout schedule).
2. Set some sort of flag to indicate to the login page that a message should be displayed informing the user that they have been redirected due to a timeout.
There seem to be a number of different ways of detecting session timeouts (by checking IsNewSession and SessionId values), but I haven't yet come across anything for authentication ticket timeout. Am I missing something really obvious, like a FormsAuthentication event, to indicate this.
On a completely unrelated topic, is there any good way of extracting all the roles encoded in a GenericPrincipal identity? So, for example, I can call something like Context.User.Identity.Role. I know I can call Context.User.IsInRole("myRole"), but is there any way of accessing it without knowing the role name in advance?