Form Authentication Expiration

[Rob Douglass]

Hi all,

I have a site that is compeletely restricted by form authentication.
In the case where a user's cookie expires and then they click on the
logout button on the site, the authetication process is forcing them
to login again so that they can log out.

I've been trying to use
"HttpContext.Current.User.Identity.IsAuthenticated" as the first piece
of code in the "Page_Load" routine, but the server is redirecting the
browser before it gets to it.

Does anyone know of a way to catch the browser before it redirects to
the login page?

My code is as follows:

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Verify that user has not timed out.
If HttpContext.Current.User.Identity.IsAuthenticated = False
Then
Me.txtTimeout.Value = "true"
Me.lblLogoutMessage_LABEL.Text = "Cookie is gone."
Else
....
End if
End Sub

Thx,
Rob

 

[Sean Bright]

When you say "the authentication process is forcing them to login again
so that they can log out" this is not actually the case. The user is
already logged out, they are just getting the login page again because
your logout page is designated as not allowing anonymous users...

If your Forms authentication is properly configured (using the
<allow/><deny/> elements) and the user is not authenticated, then
ASP.NET never actually gets to the loading of the requested resource; in
other words, it never gets to your Page_Load event. This is, of course,
by design.

If you want to create a Log out page that will work even if the user is
already logged out, simply make the page accessible to users who are
both logged in and logged out...

<location path="/MyLogoutPage.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

And then handle that special case on your own using the IsAuthenticated
boolean.

This help?
Sean

 

[Rob Douglass]

That's exactly what I ended up trying at the end of the day yesterday.
Works perfectly.

Thanks!

-Rob