Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / General / November 2007

Tip: Looking for answers? Try searching our database.

Forms Authentication Problem: Session expired, pages can still be visited.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
gnewsgroup - 13 Nov 2007 18:38 GMT
I am using forms authentication for a web application.

Like many other member web application, my web application prints out

           Welcome! John Doe (Logout)

on the top right corner of each protected page.

But, pages can still be visited by following the links in the web
application after a session has timed out, data can still be retrieved
from the database.  I know the session has timed out because at the
top right corner I only see

         Welcome! (Logout)

However, when a user explicitly signs out by clicking on Logout,
protected pages are no longer accessible, and they'll be redirected to
Login.aspx.

The code-behind of my logout page is this:

public partial class Logout : System.Web.UI.Page
{
   protected void Page_Load(object sender, EventArgs e)
   {
       Session["UserName"] = "Junk user name";
       Session.Abandon();
       FormsAuthentication.SignOut();
       Response.Redirect("Login.aspx");
   }
}

I did the same thing in global.asax's Session_End method like so:

 void Session_End(object sender, EventArgs e)
   {
       Session.Abandon();
       FormsAuthentication.SignOut();
       Response.Redirect("Login.aspx");
   }

I am wondering how I can really protect the protected pages when a
session has timed out.  I must have missed something in this
authentication scheme.  Please kindly give me a hint.  Thanks.
Reply to this Message
bruce barker - 13 Nov 2007 19:35 GMT
authentication and session are unrelated and perform different
functions. they commonly have the same timeout but don't have to match.
also while sessions (if inproc) can recycle before the timeout,
authentication doesn't.

in your case it seems session are recycling. check the log for why the
recycle.

-- bruce (sqlwork.com)

> I am using forms authentication for a web application.
>
[quoted text clipped - 40 lines]
> session has timed out.  I must have missed something in this
> authentication scheme.  Please kindly give me a hint.  Thanks.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.