Forms Authentication Timeout Logging

1
votes

I want to detect when a asp.net Form Authentication ticket has expired. I then want to log to the server the user that was signed out because of inactivity. Is there an event that fires on the server when the authentication ticket has expired?

<sessionState mode="InProc" timeout="5"></sessionState>
<authentication mode="Forms">
  <forms loginUrl="~/Home/AccessDenied" timeout="5" />
</authentication>

In the global asax file, I have tried the Session_OnEnd(). But the context.user object is null. When i call membership.getuser() it returns null also. I have tried making the session timeout before the auth but that doesn't help. I am using mvc3 and ii7.5.

1
asp.netasp.net-mvcsessionsession-timeoutform-authentication
I added a timer on the client. It pops up a notification that tells the user they have been inactive for some time. If they want to extend their session then I send an ajax post to the server and do an update on the Membership User object. Which extends their forms authentication session. I am open to other suggestionsRyand.Johnson
You could use a combination of this method to determine the timeout by reading the ticket and adding that value to the javascript that goes to the page.Adam Tuliper - MSFT

1 Answers

3
votes

Session and forms authentication have two completely separate timeouts. See my posting on this here:

How can I handle forms authentication timeout exceptions in ASP.NET?

In Application_PreRequestHandlerExecute you need to check the ticket.

Also be sure your session and forms auth timeouts are in sync using the code I posted there. Not just setting both to say 60 minutes. Since forms auth doesn't update the 'touched' time until half of the time passes by, and session time is updated on every request, they get out of sync.