Forms Authentication Login timeout does not work

0
votes

ASP.Net 4.0 application, using Forms Authentication, timeout="1". The redirect page is Login.aspx.

As soon as I log into the application, I am taken into a default page (Page A), and if I wait idle for 1 minute and then try to access another page (Page B), I am re-directed to the login page (correctly).

If however, as soon as I log in, I access Page B and wait idle for 1 minute and then try to perform some other postback action, I am allowed to do so (where as I should be thrown back to the Login.aspx)

Am I missing something here?

1
asp.netformsauthenticationtimeout
Are you sure you are waiting the full 1 min? Can you try clearing your cookies just before the postback and see if that works?CoderMarkus
Yes, I am timing myself; you mean clear the cookies from the browser?user1012598
Yes. That will insure the cookie is destroyed and you should be redirected to login when the postback occurs. How do you get to Page B from Page A? Is it a hyperlink or redirect after postback? If it's the later, they Page B might not be under the FA restricted area (for example, in a different folder not secured by FA).CoderMarkus
The redirection is from the menu which is bound to the web.sitemap file. PageB is not under the same folder as PageA; how can I know whether the folder PageB is in is under FA or not?user1012598

1 Answers

3
votes

Make sure the all the required folders are managed by FA...

<system.web>
    <authentication mode="Forms">
        <forms name=".AUTH_COOKIE" loginUrl="~/login.aspx" protection="All" timeout="2880" requireSSL="false"/>
    </authentication>
</system.web>

Then, just after the system.web element of the web.config, add as many of these entries as are required to secure folders (remember, leave out the initial forward slash - all paths are absolute by default)...

<location path="securefolder">
    <system.web>
        <authorization>
            <deny users="?"/>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

EDIT:

Keep in mind that sub folders of secured folders are secured by default - the allows the specification of multiple folders that are not nested.