8

I have an ASP.Net MVC 5 application, using Identity 2 for authentication (using the standard cookie authentication middleware, configured with ExpireTimeSpan = 30 minutes and SlidingExpiration = true).

I have configured authentication to expire after 30 minutes, and I need to check from client-side if the user is still logged in. I could do a simple AJAX call for that, but it would refresh my session and reset the timeout, which is exactly what I want to avoid. Using a 30 minutes timeout in Javascript would work only if the client has only one tab open on my application, which is something I cannot guarantee.

I was thinking about adding a custom attribute to an action that could check if authentication is still valid, but without resetting the timeout. Is there a way to do that?

Alternatively, this could probably also be done with an OWIN middleware, but again, I don't know how to check authentication without resetting the timeout.

Najkin
  • 932
  • 1
  • 7
  • 16
  • Actually what you are going to do after finding user is logged in or not? – Power Star Sep 23 '16 at 08:16
  • The idea was to redirect the user to a different page. – Najkin Sep 23 '16 at 11:17
  • So If user is not logged in then you will redirect to some page. Am i right? – Power Star Sep 23 '16 at 11:18
  • Yes, the idea is to be able to detect from client code when the authentication expires, and when it does, redirect to some page (or do something else, the solution I'm looking for should be generic enough). – Najkin Sep 23 '16 at 12:54
  • 1
    I think you can go ahead with 30 min Java script event. In that you have to call your anonymous controller function, in that you have to check whether claims is present or not. If present then no problem else need to redirect. As well as if your application tab is in closed state then no problem. Because any one open your application then it will check with authorize attribute, so it will take care on page load. – Power Star Sep 23 '16 at 13:24
  • You found any solution? – Power Star Sep 26 '16 at 14:04
  • 1
    i think you can't find solution from client script, because when you check for user still longed in with server side it reset your expiration time again – Sandip - Frontend Developer Sep 27 '16 at 11:10
  • @SandipPatel Yes, that's exactly my problem. Any request, even one that doesn't require authentication, resets the timeout. I still have no solution yet. – Najkin Sep 27 '16 at 11:53

1 Answers1

1

Here is the Function I use to accomplish the feat, although I'm only using MVC 4. I just call it through a timed ajax post. I use it to determine how long I need to set my timed ajax call for which is why I return the number of seconds remaining.

    <OutputCache(NoStore:=True, Duration:=0)> _
    Function GetExpirySeconds() As ActionResult
        Dim tkt As FormsAuthenticationTicket = Nothing
        Dim retVal As ActionResult = Json("expired")
        Response.Cookies.Remove(FormsAuthentication.FormsCookieName)
        If Request.Cookies(FormsAuthentication.FormsCookieName) IsNot Nothing AndAlso Request.Cookies(FormsAuthentication.FormsCookieName).Value <> "" Then
            tkt = FormsAuthentication.Decrypt(Request.Cookies(FormsAuthentication.FormsCookieName).Value)
            retVal = Json(Math.Floor((tkt.Expiration - Now).TotalSeconds))
            If Math.Floor((tkt.Expiration - Now).TotalSeconds) <= 0 Then retVal = Json("expired")
        End If
        Return retVal
    End Function

Blog Post for Reference: Kobi's Blog

Steve0
  • 2,233
  • 2
  • 13
  • 22
  • Clarification: It's been quite some time since it was written, but if memory serves me the removal of the cookie from the response strikes me as the key. – Steve0 Sep 28 '16 at 21:09
  • I don't use forms authentication, but Asp.Net Identity, so this solution is not applicable in my case. – Najkin Sep 29 '16 at 06:16
  • Sorry I missed the part of your question that mentioned Identity. I am unfamiliar with the technology. Seems likely that the server is still updating the cookie and returning it to the client in the response. Is there no way to prevent this? – Steve0 Sep 29 '16 at 14:45
  • @Steve Did you find any work around for your problem? If yes means, Can you please post that solution? – Vetri Selvan May 10 '18 at 06:25
  • @VetriSelvan I did not further investigate a similar technique for `Identity`. My answer is only relevant when using `forms authentication`, and in that case works as expected. – Steve0 May 10 '18 at 16:43