I have an ASP.NET application that is using forms authentication with a timeout set to five minutes. On my page I have a button, that when clicked, makes an AJAX call to an operation that lives on the service named in my .svc file. How do I know, from the client javascipt that the application has timed out? Or, how can I detect this in the global.asax; maybe in the application_beginrequest?
Asked
Active
Viewed 809 times
2 Answers
0
If you're talking about the session timeout. When this occurs, the IHttpSessionState.IsNewSession property should be set to true.
If you're referring to the auth timeout, then you have to check the AuthenticationTicket for expiration.
Chris Gessler
- 22,727
- 7
- 57
- 83
-
Which means that you will need to explicitly create an AuthenticationTicket when the user logs in and not count on the one .Net creates when one isn't provided. You will name the ticket at that time, so you should be able to get the cookie in javascript. – TheGeekYouNeed Jun 23 '12 at 12:25
-
@TheGeekYouNeed But if you follow the [recommended security guidelines and set HttpOnly](https://www.owasp.org/index.php/HttpOnly) on the cookies you will not be able to access them via client script. – explunit Oct 15 '12 at 15:44
0
A variation on your approach: have a separate client script that first checks for authentication expiration by requesting a special page/handler which returns JSON structure to indicate the authentication status of the current user. Only after knowing that the user is still active do you then run your main ajax action. It's one more request but keeps you from entangling the timeout logic with the main ajax logic. You can also use separately in a "warning, your session will time out in x minutes" popup.
See this question and my answer there for more details about how to set it up, but the key point is that if you don't want the check for expiration to extend the sliding expiration you have to configure the expiration page/handler as a separate virtual directory with forms authentication set with slidingExpiration=false.
