How do I time out the session a ASP.NET MVC logged in user after about 5 mins or so forcing him to have to login in order to continue?
Since MVC is just like WebForms in that they both run on ASP.NET and assuming you're using Forms Authentication you can either:
Force the user to logout with FormsAuthenitcation.SignOut() which will clear their authentication cookie; or
Set the forms authentication timeout value (default is 30 minutes). For example:
<system.web>
<authentication mode="Forms">
<forms timeout="5"/>
</authentication>
</system.web>
Related
I have done this in my web.config.
<system.web>
<sessionState mode="InProc" timeout="3"></sessionState>
<authentication mode="Forms" >
<forms loginUrl="~/Account/Login" timeout="2880"/>
</authentication>
After session timeout it clears all the data, but it is not redirected to the login page.
Session timeout has nothing to do with authentication timeout - an InProc session is held in memory whereas the authentication token is a cookie which contains an expiry date/time.
What you would have to do is force the expiration of the authentication ticket in the Session_Ended event in the global.asax - see this answer on how to do that as it's not just as simple as calling FormsAuthentication.SignOut.
I have an ASP.Net MVC app, making use of Forms Authentication, with the following config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="1440" slidingExpiration="true" />
</authentication>
The user count ranges between 20 and 40. Users log in and use the application without a problem...90% of the time.
However, we are finding that on a seemingly random basis, all users suddenly get logged out at the same time, and are presented with the Logon screen again.
The ELMAH log shows that the requests all still have their respective aspxauth cookies, yet the Request.User.Identity is unauthenticated, and has a blank Name.
Please advise where I can start looking as I am at my wits end on this.
In my Web.config file, I have been trying to set the session timeout. I used the following code:
<configuration>
<system.web>
<sessionState timeout="1"></sessionState>
</system.web>
</configuration>
When I ran the app, the timeout was still set to the default 20 minutes. Trying to figure out why the settings are not applying. Please help! Thanks!
Don't be confused between ASP.NET session timeout (which is what you set) and Forms Authentication cookie timeout which is something entirely different and controlled by the <forms> tag:
<authentication mode="Forms">
<forms
loginUrl="/login"
timeout="1" />
</authentication>
ASP.NET session uses cookies to track users (it has nothing to do with authentication) and associate their unique id with a hashtable stored on the server. Forms authentication on the other hand is a means of tracking authenticated users in ASP.NET. It uses cookies but it is a different cookie than the ASP.NET session.
I have a following scenario: user logs in using google account and then I call FormsAuthentication.SetAuthCookie(name, true);. In my web.config I have
<authentication mode="Forms">
<forms cookieless="UseCookies" name=".someName" slidingExpiration="true" timeout="10080"/
</authentication>
And that's it, no membership provider, no dbo.aspnet_* tables. And that would be fine except sometimes (I don't know why) even when user doesn't close browser and sends requests periodically he becomes non-authenticated again. Can anyone explain why?
And what should I do to make authentication persistent? Would be great if solution wouldn't involve sql server as there isn't any.
I have an asp.net mvc register view. This is the first page. If someone sits on it long enough for the session to expire, then start entering data and submit the form, it is automatically going into my HttpGet Action Result for register.
Is this default behavior? Can it be changed so the user does not get a session timeout on the first page of the website?
I think you are confusing the notions of session, authentication, and binding values to action parameters. In your case I suppose you are talking about authentication. A non authenticated user cannot access actions and/or controllers decorated with the [Authorize] attribute. If you are using FormsAuthentication the validity of the authentication cookie is defined in web.config:
<authentication mode="Forms">
<forms loginUrl="/login"
protection="All"
slidingExpiration="false"
timeout="30" />
</authentication>
You could adjust this timeout. If you want to increase the session timeout take a look at the sessionState tag in web.config.
If someone sits on it long enough for the session to expire, then start entering data and submit the form, it is automatically going into my HttpGet Action Result for register.
HTTP POST does not have anything to do with sessions (which are technology-stack specific). A form can be submitted in 5 minutes or in 5 years it's the same.