The browser does not send the Identity cookie (or any cookie) if the cookie has expired. When the identity cookie does not exist in the request, the Identity Framework does not authenticate the request. This usually causes a redirect to a login page.
Simple expire Session on the login page.
Session should be used like cache and never depend on authentication. The common pattern is very simple. If Session is null, fill Session.
Gaston Leblanc
Anyway, I can cope with the first by executing code in the session-end event
This cannot work. The Session End Event (In-Proc config only) fires on the server in order to clear memory resources. The Identity cookie is in the browser so there is no way for the event to affect the Identity cookie.
IMHO, the two situations mentioned above are design bugs related to not understanding the technology.
Thanks for the answer, mgebhard, One question though, if the session expires (but the cookie for the login is still active), the user may be visiting a page in some protected directory and not be bounced out. He will just see strange data.
I could create a base page class for all my pages, in the LOAD event of that class, I could say something like
if session("userfirstname") is nothing then response.redirect("/default.aspx)
You are right that I didn't understand that a global.asax doesn't detect or affect cookies.
One question though, if the session expires (but the cookie for the login is still active), the user may be visiting a page in some protected directory and not be bounced out. He will just see strange data.
In this situation, simply populate session("userfirstname") which should be simple because you have the username (Identity cookie is not expired).
Gaston Leblanc
You are right that I didn't understand that a global.asax doesn't detect or affect cookies.
You are confusing an event with an HTTP request. The End_Session event fires on the web server which allows the web server to clean up Session memory. The web server cannot locate a client's browser through the Internet and delete an authentication cookie.
However, there are other global.asax events that are request based where cookies are available.
It sounds like you have hole in your understanding. Your best bet is to learn the fundamentals. Start with basic HTTP GET and POST. Then learn the ASP.NET life cycle.
Member
53 Points
69 Posts
is there an event that fires when a user log-in cookie expires in identity?
Apr 04, 2018 10:55 AM|Gaston Leblanc|LINK
My code has to cope with 2 situations:
That's assuming a user 'login' can expire
Anyway, I can cope with the first by executing code in the session-end event.
The second is a problem. How would I detect when the user 'log-in' has expired?
All-Star
44341 Points
19140 Posts
Re: is there an event that fires when a user log-in cookie expires in identity?
Apr 04, 2018 11:36 AM|mgebhard|LINK
The browser does not send the Identity cookie (or any cookie) if the cookie has expired. When the identity cookie does not exist in the request, the Identity Framework does not authenticate the request. This usually causes a redirect to a login page. Simple expire Session on the login page.
Session should be used like cache and never depend on authentication. The common pattern is very simple. If Session is null, fill Session.
This cannot work. The Session End Event (In-Proc config only) fires on the server in order to clear memory resources. The Identity cookie is in the browser so there is no way for the event to affect the Identity cookie.
IMHO, the two situations mentioned above are design bugs related to not understanding the technology.
Member
53 Points
69 Posts
Re: is there an event that fires when a user log-in cookie expires in identity?
Apr 05, 2018 10:19 AM|Gaston Leblanc|LINK
Thanks for the answer, mgebhard, One question though, if the session expires (but the cookie for the login is still active), the user may be visiting a page in some protected directory and not be bounced out. He will just see strange data.
I could create a base page class for all my pages, in the LOAD event of that class, I could say something like
if session("userfirstname") is nothing then response.redirect("/default.aspx)You are right that I didn't understand that a global.asax doesn't detect or affect cookies.
All-Star
44341 Points
19140 Posts
Re: is there an event that fires when a user log-in cookie expires in identity?
Apr 05, 2018 11:03 AM|mgebhard|LINK
In this situation, simply populate session("userfirstname") which should be simple because you have the username (Identity cookie is not expired).
You are confusing an event with an HTTP request. The End_Session event fires on the web server which allows the web server to clean up Session memory. The web server cannot locate a client's browser through the Internet and delete an authentication cookie. However, there are other global.asax events that are request based where cookies are available.
It sounds like you have hole in your understanding. Your best bet is to learn the fundamentals. Start with basic HTTP GET and POST. Then learn the ASP.NET life cycle.