I wanted to Disable AntiForgeryToken refresh on every page load. Instead it show come up with unique AntiForgeryToken for every browser session. Like CSRF in PHP Laravel.
I am clueless if there is any option to disable it on every page load or enable it to throw unique token for every broswer session.
Reason is i am using it in one of my SPA application which ultimately never reloads any page because of angular and ajax requests and the problem is when i successfully submit the form once to the server then AntiForgeryToken Expires and gives error.
Related
How can i expire a session when the system sits idle for some time. After completing that time it should be redirected to login page. I need to do this controller side. I am using asp.net mvc3 application.
The session will expire on the server when it times out.
If you want the browser to redirect at the same time you'd have to have a counter on the client, in JavaScript, which on 0 would do a redirect to your login page.
The controller cannot force the redirect of a browser without some action from the client. You could also look at having some kind of persistant connection like SignalR but that might be more than you need.
Another solution would be to have a refresh header like in this answer
ASP.NET Push Redirect on Session Timeout
I have a legacy asp.net web form web site, it uses forms authentication. Now, I have the requirement to create a new sub MVC application in the web site. My new application is most likely a SPA that means most actions are done through Ajax. Everything works fine until session time out, because once time out, my background Ajax returns the content of form login page instead of my json data. This is correct session behavior, but how can I know session time out in ajax and then redirect the page to login page?
You can trap the failure of your AJAX calls and look for 401 result, which means that the request was not authorised.
I'm assuming you're using Web API for your service calls here - if you're calling methods on your normal MVC controller you'll need to do a little bit of work to ensure unauthenticated requests return 401 instead of redirecting you to the login page.
I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
I have an ASP.NET MVC 3 application. The site involves people writing lengthy responses using a textarea in a web form. Occasionally, users are complaining that they are getting redirected to the log in form after they post their data. I am not sure exactly why they are getting logged out because the users do not typically provide enough information on their errors. I believe it is due either to a session time out or the application has been restarted for some reason. This is on a shared web hosting site and it does not have its own app pool.
In any case, regardless of the reason, I would like to capture that post data and save it to a db or text file. How can I get the post data and save it while the controller redirects the user to the login screen.
I know the long term plan would be to identify why the timeout is occurring. But for now I want to be able to grab the post data and recover it at a later time.
First, in order to avoid timeouts, I would recommend using client-side heartbeat solution (like http://plugins.jquery.com/project/Heartbeat)
Second, assuming that you are using forms authentication, in order to save posted data, when Forms Authorization Module is redirecting your users, you will need to intercept redirects in EndRequest HttpApplication event handler in Global.asax or your own module.
The way to intercept those requests is not that straightforward, since on "EndRequest" pipeline step you will see 302 HTTP status code (redirect instruction), not 401 (Unauthorized error). So you may check if request is not authenticated (HttpContext.User.Identity.IsAuthenticated) and request is redirected - in this case you may save what you see in the request.
Otherwise you would need to disable forms authentication and use some solution, which is closer to ASP.NET MVC.
one solution can be to put a javasscript timer which keeps on hitting the server after specified interval to keep session alive until u figure out the cause of session time out (only i its the session timeout problem)
If you want to stop the session from timing out, you can add a hidden iframe on the page. For example, create a new page called KeepSessionAlive and do this:
<meta http-equiv="refresh" content="600">
where content = seconds.
I don't know about MVC 3, but the way you can get and store the post values is to catch them before redirecting the user to the Login page.
I have an ASP.Net MVC application. I am using an AJAX request on a page which requires user authentication to fire an action on another controller, which returns a view to update a table on the page. The action that the AJAX request makes also requires authentication. The issue comes up when the user lets their session timeout and then does something to fire the AJAX request. The entire page does not redirect to the login page. Instead, the view returned to the AJAX request is the login page, which then is populated inside the div meant for the refreshed data table.
Is there a way to at least have the request return an error message instead of the login view?
Sure, you could create your own Authorize attribute and check if HttpContext.Current.Request.Headers["XMLHttpRequest"] then return error message else redirect to login page