1

I want to detect when a asp.net Form Authentication ticket has expired. I then want to log to the server the user that was signed out because of inactivity. Is there an event that fires on the server when the authentication ticket has expired?

<sessionState mode="InProc" timeout="5"></sessionState>
<authentication mode="Forms">
  <forms loginUrl="~/Home/AccessDenied" timeout="5" />
</authentication>

In the global asax file, I have tried the Session_OnEnd(). But the context.user object is null. When i call membership.getuser() it returns null also. I have tried making the session timeout before the auth but that doesn't help. I am using mvc3 and ii7.5.

Improve this question
2
  • 1
    I added a timer on the client. It pops up a notification that tells the user they have been inactive for some time. If they want to extend their session then I send an ajax post to the server and do an update on the Membership User object. Which extends their forms authentication session. I am open to other suggestions Commented Nov 3, 2011 at 17:13
  • You could use a combination of this method to determine the timeout by reading the ticket and adding that value to the javascript that goes to the page. Commented Nov 3, 2011 at 18:24

1 Answer 1

Reset to default
3

Session and forms authentication have two completely separate timeouts. See my posting on this here:

How can I handle forms authentication timeout exceptions in ASP.NET?

In Application_PreRequestHandlerExecute you need to check the ticket.

Also be sure your session and forms auth timeouts are in sync using the code I posted there. Not just setting both to say 60 minutes. Since forms auth doesn't update the 'touched' time until half of the time passes by, and session time is updated on every request, they get out of sync.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for your response. I am trying to find out when the forms auth ticket expires. Your solution works if they click on another page. But if they close the browser, i do not know when the form auth ticket expires.
You wont. the ticket isnt held on the server. The server knows nothing about the ticket. Its completely held on the client side, which is a reason these were hacked with the POET vulnerability a year ago. It is only checked when you send it to the server with a request (or lack thereof on a request)
It was not possible as Adam stated. To work around it, I used Jquery to count down when a user stopped interacting with the site. Then i popped up a dialog once their session was about to expire. If they clicked 'extend' then I sent an AJAX call to the server. The call called membership.updateuser which extended the timeout for the forms auth ticket.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.