Forms Authentication: How to distinguish between Idle-Session-Timeout and un-authenticated request?

  • Thread starter Thread starter MAX2006
  • Start date Start date
M

MAX2006

Hi,

We use forms authentication in our application. We need to have two
separated pages for Idle-Session-Timeout and unauthenticated requests.

Here is the definition of the two scenarios

..Idle-Session-Timeout: User already logged in but abandoned the browser and
the authentication ticket is timed-out

..Unauthenticated requests: User booked marked a page in secured area and try
to jump to that page without sign in to site


How to distinguish between these two scenarios?
Any help would be appreciated,
Max
 
Thank for reply.
The question is about the neat difference between two critical scenarios.
We need to distinguish between the time that the user leaves browser idle
(time out) and when and un-educated user adds a non-public page to browser's
bookmarks. Business community wants two different messages for each
scenarios.

Does this makes sense?


"S. Justin Gengo"
 
Max,

Yes, I understand perfectly. It's easy enough to tell if a session just
began. One way would be to store the time the session began right within a
session variable. If a user accesses a secure page directly from a bookmark
and their session just began (measures in milliseconds) then if that value
returned is short enough you could make the assumption they arrived from a
bookmark.

Your real problem is going to be abandoned sessions. It's going to be very
hard to tell if a user has returned. The only value to tell users apart that
you would have is going to be their I.P. and you can't rely on an I.P.
address to tell users apart. You may luck out here if the app is internal
only. But if it's public facing I don't think you can do it. You'd have to
install an Active X control or the like in order to get something like each
user's MAC address.

The only other thing I can think of that could be tried would be to store a
value in both session state and in viewstate. Then on post-back the values
could be compared. If the value exists in view state and not in session then
the session timed out. But this would only work for post-backs. That
wouldn't work for most site links to a new page. I suppose you could store a
value in session and the query string so it could be appended to absolutely
every link and postback. Then you could check for the value in querystring
or viewstate...

I'm afraid those are my only ideas. If I think of something else I'll let
you know.

--
Sincerely,

S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 
Hi Max,

From your description you want to distinguish the access after ticket
timeout when using Forms Authentication from accessing page directly with
bookmark, right?

As far as I know it's difficult to know this at server side directly since
FormsAuthenticationModule simply redirect the request to the login page
after ticket expiration. It's just the same as how it does for
unauthenticated requests.

However, there's a workaround, that is to use JavaScript to get the URL of
previous page. If the request is sent directly the URL of previous page is
empty string. Then we can distinguish these two scenarios.

You can try following code to test:

Login.aspx:

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title></title>
<script type="text/javascript">
function Test() {

alert(document.referrer);
}
</script>
</head>
<body onload="Test()">
<form id="form1" runat="server">
<div>
<asp:Login ID="Login1" runat="server">
</asp:Login>
</div>
</form>
</body>
</html>

Please let me know if it works and feel free to ask if you have additional
questions.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Max,

Have you solved this issue?

Regards,
Allen Chen
Microsoft Online Support
 
Back
Top