5

I am trying to implement a Web Application Project where my web pages can check the server for the Authentication ticket expiration date/time using AJAX.

I am using Forms Authentication with slidingExpiration.

The problem I run across is I can't figure out how to check the value without resetting it. I created a simple page - CheckExpiration.aspx - below is the code behind:

  private class AjaxResponse
  {
     public bool success;
     public string message;
     public string expirationDateTime;
     public string secondsRemaining;
     public string issueDate;
  }

  protected void Page_Load(object sender, EventArgs e)
  {
     AjaxResponse ar = new AjaxResponse();
     JavaScriptSerializer js = new JavaScriptSerializer();

     if (HttpContext.Current.User.Identity.IsAuthenticated)
     {
        FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
        string expiration = id.Ticket.Expiration.ToString();

        TimeSpan timeRemaining = id.Ticket.Expiration - DateTime.Now;

        ar.success = true;
        ar.expirationDateTime = expiration;
        ar.issueDate = id.Ticket.IssueDate.ToString();
        ar.secondsRemaining = timeRemaining.Minutes.ToString() + ":" + timeRemaining.Seconds.ToString();
     }
     else
     {
        ar.success = false;
        ar.message = "User not authenticated";
     }

     string output = js.Serialize(ar);
     Response.Write(js.Serialize(ar));

  }

I call this page from the Master page in my application using ajax every second. Past the halfway point in the authentication expiration, the expiration gets reset.

How do I prevent this behavior? Is there anything I can do in the header of the request maybe?

Francis C
  • 51
  • 4
  • check this is it something similar or your issue is diff ?...http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net-security/2316/problem-with-slidingExpiration – Scorpio Oct 10 '12 at 17:43
  • I think that this post you're linking to is someone having problems with the default behavior of .net. I don't care for that behavior because if you stay idle, you won't know you've been logged out at the server level until you try to do something. I am trying to make something more user friendly, where you will be informed that you are about to get logged out. I also don't want to rely only on a javascript timer set upon entering a page because the authentication could be refreshed from another tab. – Francis C Oct 10 '12 at 17:53

2 Answers2

0

Why don't you store the expiration as a session variable that you compute yourself? You only need to get the value of id.Ticket.Expiration once. Then each call, get the value from the server and increment it accordingly, and store it back on the server.

http://msdn.microsoft.com/en-us/library/ms178581%28v=vs.85%29.aspx

Pseudocode:

if(!Session.KeyExists("Expiration"))
{
  Session["Expiration"] = id.Ticket.Expiration;
}

Session["TimeRemaining"] = Session["Expiration"] - DateTime.Now;

// get all ajaxy here
0x1mason
  • 757
  • 8
  • 20
0

Put your CheckExpiration.aspx page in its own application and deploy this as a virtual directory beneath your main application. In that virtual directory, configure slidingExpiration=false. Your code will work as-is but will not regenerate the ticket when it gets below half the time until expiration.

Here's what I did in a quick local project to verify that it works:

  1. Created a new web application AuthTest4 and configured it to use local IIS server in path /AuthTest4
  2. Went into IIS and changed the Machine Key setting for /AuthTest4 to uncheck all the AutoGenerate/Isolate options and generated its own MachineKey.
  3. Created an empty web application ExpCheck and put your CheckExpiration.aspx code in it
  4. Configured ExpCheck web application to use local IIS in the virtual directory /AuthTest4/ExpCheck
  5. Modified the web.config of ExpCheck application to have only the section shown below

ExpCheck web.config. All other security settings will cascade down from the parent virtual directory.

<system.web>
  <authentication mode="Forms">
   <forms slidingExpiration="false" />
  </authentication>
</system.web>
explunit
  • 18,967
  • 6
  • 69
  • 94