2

Can I handle forms authentication timeout in Global.asax? Just like the Session_End in global.asax? Please advice.

I'm setting timeout in forms auth in my webconfig with these: 

<forms name="formName" loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>

Thanks to all! :)

Improve this question

1 Answer 1

Reset to default
2

No you can not because the timeout is encoded on the authentication cookie, and is lives on the browser (not on server side).

You can either make that custom, to also keep on a database the user timeout - but its not so easy, and alternative you can use the Application_AuthenticateRequest on global.asax to check right before the request if the user is not authenticated any more.

One example on how to remove session data if the the user is not authenticate. On global asax.

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    // get the authCookie
    HttpCookie authCookie = Context.Request.Cookies[cookieName];
    // if is null then the use is not Authendicated
    if (null == authCookie && System.Web.HttpContext.Current.Session != null)
    {
        // now check if you have Session variables that you wish to remove.
        if(System.Web.HttpContext.Current.Session["flag"] == "1")
        {
            // remove your session data


        }   
    }
}

You maybe also check with 

if(HttpContext.Current.User == null || HttpContext.Current.User.Identity == null || !HttpContext.Current.User.Identity.IsAuthenticated)
{
        // now check if you have Session variables that you wish to remove.
        if(Session["flag"] == "1")
        {
            // remove your session data         

        }    
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

my problem is, when my forms auth timeouts, the session variables still remains. How can I handle that situation, please advise, thanks Aristos!
@JRC I will add an example on the answer shortly.
after your first answer, I tried to remove sessions in Application_AuthenticateRequest in global.asax, but I got an HttpException, saying Session State is not accessible in this context. :(
@JRC I update it, try the System.Web.HttpContext.Current.Session - you can get the session Just need the correct call.
thanks for your help Aristos! I get it now! Sorry for being a noob :(

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.