Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post May 10, 2012 02:54 PM by fosbie
May 10, 2012 09:19 AM|LINK
Our website that is currently being tested seems to demonstrate that the forms authentication is not working properly when it times out. There is a header containing a "Logout" button that is disappearing from time to time due to the following line of code
in the page_load of the master page:
headerNav.Visible = Request.IsAuthenticated;
Surely this should never be seen in the secure area as I would expect the user to be redirected to the login page when the auth times out.
The solution is setup so that the main web.config in the root of the website has the following entry:
<forms loginUrl="/Account/Login.aspx" protection="All" path="/" name="PLAuth" timeout="20" />
There is a sub folder within the root called Secure which has another web.config file with the following contents
And all of the secure web pages are in other subfolders within Secure, such as /Secure/Maintenance/account.aspx
My concern is that users who are not authenticated are able to use secured pages. Why isn't the redirect from the web.config working?
May 10, 2012 09:30 AM|LINK
hi please refer http://csharpdotnetfreak.blogspot.com/2009/01/forms-authentication-aspnet-20.html
you can manually
detect session timeout and redirect to login page
May 10, 2012 09:43 AM|LINK
Thanks for the info. The first article confirms that I think I am doing everything right.
The second one we are already doing if the session times out but my issue is when the auth times out before the session. I know we could manually redirect the user to the login page, but I want to use the built in forms authentication method of doing this
and find it frustrating when it doesn't work how it should.
May 10, 2012 11:21 AM|LINK
I've changed the forms authentication timeout to 5 mins now, just to prove a point, leaving the session timeout still at 20. If I login to the website then wait for just over 5 mins, I can see that the form auth has timed out because of the header having
disappeared but I'm still able to use the secure area no problem. Why won't it redirect? Or at least give an error?
May 10, 2012 12:18 PM|LINK
Hi please deny access to all anonymous users and allow access to authenticated users by changing web.config in sub folder to
Also try clearing cookies
May 10, 2012 02:54 PM|LINK
I'm not sure how that can be right as * means all users and ? means unauthenticated users.
That setting would suggest that only unauthenticated users are allowed, OR more likely, no users are allowed as the first rule will be the only one processed as that one matches in all cases.