0

I have a sessionTimeOutModule i.e. inherited from IHttpModule is being used for "if user gets session timeout, it handle the request to do some stuff, like Signout the user and some other stuff. but I have checked, even after signout i.e. Request.GetOwinContext().Authentication.SignOut(***) Context still has the user's detail which is causing to pass the data into Action Filters and cause of that, not able to perform some stuff. So my main goal is to either Reset the Context(remove the current user from Context) or after signout, do a anonymous user login (for which I need to access ClaimsIdentityProvider) to create new claims."

Here is my code:

void PostAuthenticateRequest(HttpApplication application)
{

    var context = application.Context;

    var customer = context
        .GetCustomer();

    // If the user is logged in or checking out and has sat idle too long, make them reauthenticate.
    var sessionTimeout = customer.IsAdminUser || customer.IsAdminSuperUser
        ? Common.AdminSessionTimeout()
        : Common.SessionTimeout();

    var reauthRequired = customer.HasCustomerRecord
        && customer.LastActivity < DateTime.Now - sessionTimeout;
    var pageURL = context.Request.Url.Segments.Length > 1 ? context.Request.Url.Segments[1] : context.Request.Url.AbsolutePath;
    if(!reauthRequired)
    {
        // Don't update customer sessions if the request is just for certain page elements.  This protects against the possibility of AJAX'y content messing up the session timer
        var requestedResourceEndsWithIgnoredExtension = new[]
            {
                ".png",
                ".jpg",
                ".gif",
                ".js",
            }
            .Where(extension => context.Request.Url.AbsoluteUri.EndsWith(extension))
            .Any();

        if(!requestedResourceEndsWithIgnoredExtension)
            customer.ThisCustomerSession.UpdateCustomerSession(null, null);
    }
    else if(customer.IsRegistered)
    {
        var authenticationManager = context
            .Request
            .GetOwinContext()
            .Authentication;

        // Registered users have to sign back in
        authenticationManager.SignOut(AuthValues.CookiesAuthenticationType);
        context.Request
            .GetOwinContext()
            .Authentication
            .SignOut(AuthValues.CookiesAuthenticationType);

        var customer1 = new Customer(Guid.NewGuid());
        **if(ClaimsIdentityProvider != null)
        {
            HttpContext.Current.Request
            .GetOwinContext()
            .Authentication
            .SignIn(
                properties: new Microsoft.Owin.Security.AuthenticationProperties
                {
                    IsPersistent = true
                },
                identities: ClaimsIdentityProvider.Create(customer1));
        }** //this part is not working of course. 

    }
    else
    {
        // Anons go here instead
        customer.EndAnonymousSession();

        var sessionTimeoutLandingPage = Common.AppSettingsConfig("SessionTimeoutLandingPage");
        var redirectUrl = string.IsNullOrEmpty(sessionTimeoutLandingPage)
            ? "~/"
            : sessionTimeoutLandingPage;
        context.Response.Redirect(redirectUrl, false);
        context.ApplicationInstance.CompleteRequest();
        return;
    }
}
Theodor Zoulias
  • 34,835
  • 7
  • 69
  • 104
Ram Singh
  • 6,664
  • 35
  • 100
  • 166

1 Answers1

1

It sounds more like you are trying to logout the user. Then have the user either appear they are at the same page/url or redirect to the session time out page. If that is the case then Comment out

authenticationManager.Challenge(AuthValues.CookiesAuthenticationType);

To redirect to the the session time out page use something like

var sessionTimeoutLandingPage = AppLogic.AppConfig("SessionTimeoutLandingPage");
            var redirectUrl = string.IsNullOrEmpty(sessionTimeoutLandingPage)
                ? "~/"
                : sessionTimeoutLandingPage;
            context.Response.Redirect(redirectUrl, false);
            context.ApplicationInstance.CompleteRequest();

If you do want the want to make it appear it is the same page but signed out then use something like

context.Response.Redirect(context.Request.RawUrl, false);
context.ApplicationInstance.CompleteRequest();
Geach
  • 61
  • 3