Detecting forms authentication timeout in login page

2
votes

When you have forms authentication setup to redirect to login.aspx when accessing a protected page, what's a good way to detect in login.aspx whether the user was sent there because they haven't logged on yet, or because their forms auth ticket is expired? I'd like to display a "you've timed out" message.

(I do not mention the word session in this question, because ASP.NET treats them so distinctly, however, if there is a good solution that involves session, I'm all ears)

I've solved this in the past by having another cooke "hasloggedin" set when a user logs in and then checks to see if that exists to determine if it's a timeout and then display an appropriate message. But, this has to be a common problem?

1
asp.netsecuritytimeoutforms-authentication
Your cookie method seems to be a good way to do it. If you are already using session variables (depending on their relative timeout value to the authentication timeout), you could check Page.Session.IsNewSession to see if the session was created with the current request.JustinStolle

1 Answers

2
votes

Forms authentication will automatically append a URL parameter 'ReturnURL', indicating what page (if any) triggered the redirection to the login page. Most websites have a 'Default.aspx' or 'index.html' etc as the default page. You can check the ReturnURL to see if it contains the default page, or some other page in your application.

EXAMPLE:

string refererURL;
if (page.Request.QueryString["ReturnURL"] != null)
{
    refererURL = page.Request.QueryString["ReturnURL"].ToString();
}

//Check to see if user was redirected because of Timeout or initial login
//Where "Default.aspx" is the default page for your application
if (refererURL != "" && refererURL != (ResolveUrl("~") + "Default.aspx"))
{
    //Show HTML etc showing session timeout message 
}
else // User redirected here to to initial login
{
    //Show HTML showing initial login HTML message etc
}