0

ASP.Net 4.0 application, using Forms Authentication, timeout="1". The redirect page is Login.aspx.

As soon as I log into the application, I am taken into a default page (Page A), and if I wait idle for 1 minute and then try to access another page (Page B), I am re-directed to the login page (correctly).

If however, as soon as I log in, I access Page B and wait idle for 1 minute and then try to perform some other postback action, I am allowed to do so (where as I should be thrown back to the Login.aspx)

Am I missing something here?

Improve this question
4
  • Are you sure you are waiting the full 1 min? Can you try clearing your cookies just before the postback and see if that works? Commented Oct 12, 2012 at 6:24
  • Yes, I am timing myself; you mean clear the cookies from the browser? Commented Oct 12, 2012 at 8:33
  • Yes. That will insure the cookie is destroyed and you should be redirected to login when the postback occurs. How do you get to Page B from Page A? Is it a hyperlink or redirect after postback? If it's the later, they Page B might not be under the FA restricted area (for example, in a different folder not secured by FA). Commented Oct 12, 2012 at 16:41
  • The redirection is from the menu which is bound to the web.sitemap file. PageB is not under the same folder as PageA; how can I know whether the folder PageB is in is under FA or not? Commented Oct 12, 2012 at 20:54

1 Answer 1

Reset to default
3

Make sure the all the required folders are managed by FA...

<system.web>
    <authentication mode="Forms">
        <forms name=".AUTH_COOKIE" loginUrl="~/login.aspx" protection="All" timeout="2880" requireSSL="false"/>
    </authentication>
</system.web>

Then, just after the system.web element of the web.config, add as many of these entries as are required to secure folders (remember, leave out the initial forward slash - all paths are absolute by default)...

<location path="securefolder">
    <system.web>
        <authorization>
            <deny users="?"/>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

EDIT:

Keep in mind that sub folders of secured folders are secured by default - the allows the specification of multiple folders that are not nested.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.