Forms authentications questions

  • Thread starter Thread starter john
  • Start date Start date
J

john

I have 2 questions:

1. I am trying to use forms authentication. When the user logs out, I
make these function
calls:
Session.Abandon();
FormsAuthentication.SignOut();
But after they log out, the user can (e.g. through the web history) go
and look at any pages that were already viewed when the session was
going on because of the cache. I don't want them to be able to do
that. So if I put the following function call in the Page_Load
function of every page, it fixes the problem:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Is it possible to do this globally so that it applies to every page in
the application rather than having to do it in every page?

2. I want the session to time out and for forms authentication to
automatically log the user out if they haven't done anything for a
while. So I set the Session.Timeout to something appropriate and it
times out great. I put the FormsAuthentication.SignOut() function call
inside the Session_End() function (which gets called properly when the
session times out), but it doesn't seem to log the user out of forms
authentication. The user can still view all the pages. How can I do
this?

Thanks in advnce
 
Hello

The answer to the first question, is put the Response.Cache.SetCacheability
in the Application_BeginRequest.
As for the second question, FormsAuthentication timeout can be achieved
using the timeout attribute in the forms element in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="30" slidingExpiration="true">
</authentication>

the default value is 30, the slidingExpiration makes the 30 minutes
renewable when the user keeps browsing the site, otherwise his session will
expire as soon as the 30 minutes are over regardless of his activity

Best regards,
Sherif
 
Thanks for the response. Your suggestions work! Is there any way I can
set the forms authentication timeout programatically rather than in
web.config?
 
Hello

In this case, you have to manually issue the forms authentication ticket.
instead of RedirectFromLoginPage

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
username, DateTime.Now, DateTime.Now.AddMinutes(formsTimeout), false, role);
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie =
HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName];
if(cookie == null)
{
cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
HttpContext.Current.Response.Cookies.Add(cookie);
}
else
{
cookie.Value = encTicket;
}
string url = HttpContext.Current.Request.QueryString["ReturnUrl"];
if(url == null)
{
url = "Default.aspx";
}
HttpContext.Current.Response.Redirect(url, true);

Best regards,
Sherif
 
Back
Top