I have form authentication in my application which has cookie timeout set to 20 minutes. Cookie is being removed after 20 minutes of user's innactivity. I also have some data stored in session which has timeout set also to 20 minutes.

If I set cookie timeout to less than session everything works fine and user is redirected to login page. But if session expires before cookie, which is most likely, all data gets lost.

I tried to force form authentication logout at session end in global.asax but it doesn't work. I used this code in global.asax:

FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()

Am I doing this right or is there any other better way to handle this.

Thanks
 

Hello my friend,

The code seems right but it is in the wrong place.  Within your page code, check if a session variable exists.  If not, use the 2 lines above to kick the user out.  Something like the following: - 

If you need to do this on multiple web pages, create a new class called CustomBasePage like the following: -

using System;

Now for any web page where you need to make this check, change it so that it inherits from this new class instead of System.Web.UI.Page

For example: -

Hope this does the trick my friend

Kind regards

Scotty

I'm having similar problem, and still thinking about some good solutions. first of all let me explain the problem

 I'm using Form Authentication in our web application and also using session to save user specific data. problem started when we came to know that session are lossing data if user is being idle for more than session timeout. session timeout set to 60 mins and same is the timeout for Form Authentication.  see below.

 <sessionState timeout="60" mode="InProc" cookieless="false"/>
   
  <authentication mode="Forms">
   <forms loginUrl="Pages/Login.aspx" defaultUrl=".\Pages\Default.aspx" timeout ="60" slidingExpiration ="true">
   </forms>
 </authentication>

Now the problem is  Event viewer is having too many events logged when page is left idle for more than 60 mins and then user try to make any request. it is automatically redirected to login page which is corrected this is how it should work. but at the same time it log (see below.)

 Now here is my understand about above flow. when session and Form Authentication is timeout (it is timing out at the same time  in my case.) and when user make any request. Forms Authentication came in to check the validity of the issued ticket. and find it expired and redirect to login. at the same time it create new session. (creating a new session if one already timeout  is a buildin feature of IIS.) Now possiablities are:

-- when new session is being created it obiously not have same data which previous session was holding. and user is not redirected to login page some how, and continue to next page with new session that give the effect of session data lost. or may there is someother reason. For this problem I have already put in the code in Global.asax in AcquireRequestState event, which checks every request and session state if user is Authenticated and Session is newly created just forced the user to login page to get all his user specific data again. this will solve my problem of data lost during the user session hopefully.

But my other problem is that event is still being logged in the event log. Beacuse Form Authentication ticket validation is check before session state is being established for the request.

So can some suggest me any good place where i can check my session expiry before Form Authentication ticket validation.