Session time out from sub web application - asp.net-mvc

I have a legacy asp.net web form web site, it uses forms authentication. Now, I have the requirement to create a new sub MVC application in the web site. My new application is most likely a SPA that means most actions are done through Ajax. Everything works fine until session time out, because once time out, my background Ajax returns the content of form login page instead of my json data. This is correct session behavior, but how can I know session time out in ajax and then redirect the page to login page?

You can trap the failure of your AJAX calls and look for 401 result, which means that the request was not authorised.
I'm assuming you're using Web API for your service calls here - if you're calling methods on your normal MVC controller you'll need to do a little bit of work to ensure unauthenticated requests return 401 instead of redirecting you to the login page.

Related

ASP.NET MVC 5 - Disable AntiForgeryToken refresh on every page load

I wanted to Disable AntiForgeryToken refresh on every page load. Instead it show come up with unique AntiForgeryToken for every browser session. Like CSRF in PHP Laravel.
I am clueless if there is any option to disable it on every page load or enable it to throw unique token for every broswer session.
Reason is i am using it in one of my SPA application which ultimately never reloads any page because of angular and ajax requests and the problem is when i successfully submit the form once to the server then AntiForgeryToken Expires and gives error.

How to expire a session when the system sits idle in asp.net mvc3

How can i expire a session when the system sits idle for some time. After completing that time it should be redirected to login page. I need to do this controller side. I am using asp.net mvc3 application.
The session will expire on the server when it times out.
If you want the browser to redirect at the same time you'd have to have a counter on the client, in JavaScript, which on 0 would do a redirect to your login page.
The controller cannot force the redirect of a browser without some action from the client. You could also look at having some kind of persistant connection like SignalR but that might be more than you need.
Another solution would be to have a refresh header like in this answer
ASP.NET Push Redirect on Session Timeout

MVC FormsAuthentication time out - AJAX considerations

Hope you can help. In my ASP.net MVC3 app, all my controllers descend from a customized controller I have created.
Upon FormsAuthentication time out, my app correctly redirects users to the login page if they attempt to access any page (standard functionality).
However, for Ajax.ActionLink and Ajax.BeginForm calls, they just return nothing, which confuses users if the browser is left open for more than 20 minutes and then they try to access an Ajax link.
Is there any code I can put in to my base controller that will work generically so that when it detects an inbound Ajax call and we have timed-out, it will redirect users to my login page as expected?
I don't mind if it doesn't return to the original page afterwards - happy for it to just go to the Home Index page.
Thanks in advance for any help you can provide.
Simon.
You may take a look at the following blog post which illustrates a nice way to prevent the FormsAuthentication module from redirecting to the logon page in case of an AJAX request and simply send a 401 status code to the client so that it can act accordingly.

In an ASP.NET MVC 3 application, how can I save the post data in the where their session times out

I have an ASP.NET MVC 3 application. The site involves people writing lengthy responses using a textarea in a web form. Occasionally, users are complaining that they are getting redirected to the log in form after they post their data. I am not sure exactly why they are getting logged out because the users do not typically provide enough information on their errors. I believe it is due either to a session time out or the application has been restarted for some reason. This is on a shared web hosting site and it does not have its own app pool.
In any case, regardless of the reason, I would like to capture that post data and save it to a db or text file. How can I get the post data and save it while the controller redirects the user to the login screen.
I know the long term plan would be to identify why the timeout is occurring. But for now I want to be able to grab the post data and recover it at a later time.
First, in order to avoid timeouts, I would recommend using client-side heartbeat solution (like http://plugins.jquery.com/project/Heartbeat)
Second, assuming that you are using forms authentication, in order to save posted data, when Forms Authorization Module is redirecting your users, you will need to intercept redirects in EndRequest HttpApplication event handler in Global.asax or your own module.
The way to intercept those requests is not that straightforward, since on "EndRequest" pipeline step you will see 302 HTTP status code (redirect instruction), not 401 (Unauthorized error). So you may check if request is not authenticated (HttpContext.User.Identity.IsAuthenticated) and request is redirected - in this case you may save what you see in the request.
Otherwise you would need to disable forms authentication and use some solution, which is closer to ASP.NET MVC.
one solution can be to put a javasscript timer which keeps on hitting the server after specified interval to keep session alive until u figure out the cause of session time out (only i its the session timeout problem)
If you want to stop the session from timing out, you can add a hidden iframe on the page. For example, create a new page called KeepSessionAlive and do this:
<meta http-equiv="refresh" content="600">
where content = seconds.
I don't know about MVC 3, but the way you can get and store the post values is to catch them before redirecting the user to the Login page.

Make ajax get redirect main page to login when auth times out

I'm using ASP.Net MVC beta 1 and I'm using the asp.net membership provider with the standard authentication controller to restrict access to my site.
I'm using ajax functionality to provide e.g. editing of values by loading partial views into a div with either jQuery $.get/$.ajax or with the Ajax.Actionlink MVC helper. This all works fine most of the time.
My problem comes once the login times out and you click on one of the ajax edit links - the ajax call returns the login page which is put into the div normally used for the edit form.
I want to find a way to redirect the whole page to the login form, when the authentication has timed out and an ajax link is clicked.
One way I can think of is looking at the html returned from the ajax call in the response callback and searching for the 'login' text or form field and doing a redirect from there - but this doesn't feel very clean - is there a better way?
This might help some:
Bypass Forms Authentication auto redirect to login, How to?
From the above answer it looks like http 403 isn't intercepted by Forms Authentication, so you can roll your own ActionFilter that returns an http 403 response if its an Ajax Request and Authorization failed.
On the client side, you could then check the response code for 403, and redirect to the appropriate login url.
There are probably other ways to do this as well!

Resources