Our website that is currently being tested seems to demonstrate that the forms authentication is not working properly when it times out. There is a header containing a "Logout" button that is disappearing from time to time due to the following line of code
in the page_load of the master page:
headerNav.Visible = Request.IsAuthenticated;
Surely this should never be seen in the secure area as I would expect the user to be redirected to the login page when the auth times out.
The solution is setup so that the main web.config in the root of the website has the following entry:
Thanks for the info. The first article confirms that I think I am doing everything right.
The second one we are already doing if the session times out but my issue is when the auth times out before the session. I know we could manually redirect the user to the login page, but I want to use the built in forms authentication method of doing this
and find it frustrating when it doesn't work how it should.
I've changed the forms authentication timeout to 5 mins now, just to prove a point, leaving the session timeout still at 20. If I login to the website then wait for just over 5 mins, I can see that the form auth has timed out because of the header having
disappeared but I'm still able to use the secure area no problem. Why won't it redirect? Or at least give an error?
I'm not sure how that can be right as * means all users and ? means unauthenticated users.
That setting would suggest that only unauthenticated users are allowed, OR more likely, no users are allowed as the first rule will be the only one processed as that one matches in all cases.
fosbie
Member
73 Points
67 Posts
Forms Authentication Timeout does not redirect to login
May 10, 2012 09:19 AM|LINK
Our website that is currently being tested seems to demonstrate that the forms authentication is not working properly when it times out. There is a header containing a "Logout" button that is disappearing from time to time due to the following line of code in the page_load of the master page:
Surely this should never be seen in the secure area as I would expect the user to be redirected to the login page when the auth times out.
The solution is setup so that the main web.config in the root of the website has the following entry:
There is a sub folder within the root called Secure which has another web.config file with the following contents
<configuration> <appSettings/> <connectionStrings/> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>And all of the secure web pages are in other subfolders within Secure, such as /Secure/Maintenance/account.aspx
My concern is that users who are not authenticated are able to use secured pages. Why isn't the redirect from the web.config working?
Thanks.
fosbie
amit.jain
Star
11225 Points
1815 Posts
Re: Forms Authentication Timeout does not redirect to login
May 10, 2012 09:30 AM|LINK
hi please refer http://csharpdotnetfreak.blogspot.com/2009/01/forms-authentication-aspnet-20.html
you can manually detect session timeout and redirect to login page
amiT jaiN
ASP.NET C# VB Articles And Code Examples
fosbie
Member
73 Points
67 Posts
Re: Forms Authentication Timeout does not redirect to login
May 10, 2012 09:43 AM|LINK
Thanks for the info. The first article confirms that I think I am doing everything right.
The second one we are already doing if the session times out but my issue is when the auth times out before the session. I know we could manually redirect the user to the login page, but I want to use the built in forms authentication method of doing this and find it frustrating when it doesn't work how it should.
fosbie
Member
73 Points
67 Posts
Re: Forms Authentication Timeout does not redirect to login
May 10, 2012 11:21 AM|LINK
I've changed the forms authentication timeout to 5 mins now, just to prove a point, leaving the session timeout still at 20. If I login to the website then wait for just over 5 mins, I can see that the form auth has timed out because of the header having disappeared but I'm still able to use the secure area no problem. Why won't it redirect? Or at least give an error?
amit.jain
Star
11225 Points
1815 Posts
Re: Forms Authentication Timeout does not redirect to login
May 10, 2012 12:18 PM|LINK
Hi please deny access to all anonymous users and allow access to authenticated users by changing web.config in sub folder to
<configuration> <appSettings/> <connectionStrings/> <system.web> <authorization> <deny users="*"/> <allow users="?"/> </authorization> </system.web> </configuration>Also try clearing cookies
amiT jaiN
ASP.NET C# VB Articles And Code Examples
fosbie
Member
73 Points
67 Posts
Re: Forms Authentication Timeout does not redirect to login
May 10, 2012 02:54 PM|LINK
I'm not sure how that can be right as * means all users and ? means unauthenticated users.
That setting would suggest that only unauthenticated users are allowed, OR more likely, no users are allowed as the first rule will be the only one processed as that one matches in all cases.