Forms Authentication Timeout vs Session Timeout
2013-06-20 10:36
375 查看
We have an old .NET 1.1 web application which I have to support and a recent change in the login process for a select few customers has been causing haywire with every users session. The folks at QA have been giving me a really hard time lately with this bug
and I just couldn’t get around as to what was causing this weird behavior.
The problem was that if we set the forms authentication and session timeouts to 10 minutes and after the 10th minute the user clicked on any link the app would redirect the user to the login page but the session was not abandoned i.e. the forms authentication
ticket had expired but not the session state timeout. To make matters worse I was unable to reproduce it on DEV or QA instance with my automated test script but was able to reproduce it by manually following the steps.
After a lot of googling I finally realized the solution was right there and I had just overlooked it. The problem was in the way timeouts work for authentication tickets vs session state.
Forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, you set an expiration of 20 minutes, and a user visits the site at
2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM. Even if the user visited some pages in between 2:00 PM and 2:20 PM the user will still be redirected to the login page after 2:20 PM.
Now if you are using sliding expiration for forms authentication and session state the scenario gets a bit complicated.
With sliding expiration the session state timeout is updated on every visit but the cookie and the resulting
authentication ticket are updated if the user visits the site after the expiration time is half-expired.
For example, you set an expiration of 20 minutes for forms authentication ticket and session state and you set sliding expiration to true. A user visits the site at 2:00 PM, and the user receives a cookie that is set to expire at 2:20 PM. The authentication
ticket expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:08 PM, the authentication ticket is not updated but the session state timeout is updated and the session now expires at 2:28 PM. If the user then
waits 12 minutes, visiting the site at 2:21 PM, the authentication ticket will be expired and the user is redirected to the login page, but guess what, the session timeout has not yet expired.
Here is the MSDN link which explains this
http://support.microsoft.com/kb/910439
So, how do we synch these two timeouts? Or force the other to timeout if one of them expires? The workaround we came up with was to set the authentication timeout to double the value of session timeout and have the following code in the global.asax.cs.
protected void Application_AcquireRequestState(object sender,
SystemEventArgs e)
{
if(Session!= null && Session.IsNewSession)
{
string szCookieHeader= Request.Headers["Cookie"];
if((szCookieHeader!= null)&& (szCookieHeader.IndexOf("ASP.NET_SessionId")>= 0))
{
if(User.Indentity.IsAuthenticated)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
}
and I just couldn’t get around as to what was causing this weird behavior.
The problem was that if we set the forms authentication and session timeouts to 10 minutes and after the 10th minute the user clicked on any link the app would redirect the user to the login page but the session was not abandoned i.e. the forms authentication
ticket had expired but not the session state timeout. To make matters worse I was unable to reproduce it on DEV or QA instance with my automated test script but was able to reproduce it by manually following the steps.
After a lot of googling I finally realized the solution was right there and I had just overlooked it. The problem was in the way timeouts work for authentication tickets vs session state.
Forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, you set an expiration of 20 minutes, and a user visits the site at
2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM. Even if the user visited some pages in between 2:00 PM and 2:20 PM the user will still be redirected to the login page after 2:20 PM.
Now if you are using sliding expiration for forms authentication and session state the scenario gets a bit complicated.
With sliding expiration the session state timeout is updated on every visit but the cookie and the resulting
authentication ticket are updated if the user visits the site after the expiration time is half-expired.
For example, you set an expiration of 20 minutes for forms authentication ticket and session state and you set sliding expiration to true. A user visits the site at 2:00 PM, and the user receives a cookie that is set to expire at 2:20 PM. The authentication
ticket expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:08 PM, the authentication ticket is not updated but the session state timeout is updated and the session now expires at 2:28 PM. If the user then
waits 12 minutes, visiting the site at 2:21 PM, the authentication ticket will be expired and the user is redirected to the login page, but guess what, the session timeout has not yet expired.
Here is the MSDN link which explains this
http://support.microsoft.com/kb/910439
So, how do we synch these two timeouts? Or force the other to timeout if one of them expires? The workaround we came up with was to set the authentication timeout to double the value of session timeout and have the following code in the global.asax.cs.
protected void Application_AcquireRequestState(object sender,
SystemEventArgs e)
{
if(Session!= null && Session.IsNewSession)
{
string szCookieHeader= Request.Headers["Cookie"];
if((szCookieHeader!= null)&& (szCookieHeader.IndexOf("ASP.NET_SessionId")>= 0))
{
if(User.Indentity.IsAuthenticated)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Forms authentication timeout vs sessionState timeout
- Caution with using asp.net session timeout and FormsAuthentication timeout together
- ASP.NET Session and Forms Authentication and Session Fixation
- Session-based Authentication VS Token-based Authentication
- .net的FormsAuthenticationTicket session、cookies验证用户信息用法的区别 推荐
- Forms Authentication timeout and Expiration
- Handling session and authentication timeouts in ASP.Net
- 解决DM_SESSION_E_CLIENT_AUTHENTICATION_FAILURE ---Documentum 6.0/6.5
- 不同.NET Framework版本下ASP.NET FormsAuthentication的兼容性
- Introduction and Configuration SharePoint 2013 Forms Based Authentication
- 在.net 4.5下FormsAuthentication.HashPasswordForStoringInConfigFile过时的问题
- cookie vs session
- the parameter of session timeout
- [译]WebForms vs. MVC
- Qt: Session management error: None of the authentication protocols specified are supported
- SQL session vs global
- 认证和授权的区别 Authentication vs. Authorization
- FormsAuthentication.SignOut() 后,并未真正退出的原因
- FormsAuthenticationTicket基于forms的验证
- Authentication 方案优化探索(JWT, Session, Refresh Token, etc.)