Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Windows Authentication/Session Timeout issue

Reply
Thread Tools

Windows Authentication/Session Timeout issue

 
 
jamminjime@gmail.com
Guest
Posts: n/a
 
      09-18-2007
Since all of the brightest at Microsoft seem to be in here, I will ask
you guys this question.

We have an intranet application using Windows Authentication. I was
NOT in on writing it, I just have to squash the bugs. This
application has a timeout set in the web.config file of xx minutes.
USING WINDOWS Authentication, we don't have a login page. When the
session times out and a user tries to continue working (long lunch,
etc), it throws an error something like "Session is in an invalid
state" or something to that effect. I am sure that their session has
timed out and they need to return to the main page and start over.

My question to the group is....

How can I redirect an asp.net application that uses Windows
Authentication upon session timeout?

I have seen alot of OLD posts stating that you should use Forms
Authentication to do this or use the Meta tag REFRESH to handle it. I
am an older coder which means I am lazy and want to do this the
easiest way possible (and without checking out some 300 web forms from
VSS).

Any ideas?

Thanks,

Jamminjime

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      09-19-2007
Authentication and session state are not related with either forms auth or
window auth. Session state is maintained via a cookie. With forms auth, a
different cookie is used (with potentially a different timeout), while with
Windows auth, the authentication state is maintained with different headers.

When you are using Windows auth, your authentication doesn't become invalid
if your session state times out. You are still authenticated. You just need
to anticipate in your code that your session data that you need might not be
there and return the user to a known safe starting place.

One way to do this would be simply check if the session data you need isn't
there and then redirect to where you need to be to get to a known good
state. You can also do some fancier stuff using global.asax events to check
for session start events in places where a new session should not be started
and handle the problem from there.

Another thing to consider is to avoid using session state in the first
place. Users tend to hate it as they can't go to lunch without losing the
work they were in the middle of doing (unless you use very long timeouts,
although that just disguises the problem). Use other state management
techniques like cookies, query strings, form fields/view state or
persistence of intermediate data to your database.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> Since all of the brightest at Microsoft seem to be in here, I will ask
> you guys this question.
>
> We have an intranet application using Windows Authentication. I was
> NOT in on writing it, I just have to squash the bugs. This
> application has a timeout set in the web.config file of xx minutes.
> USING WINDOWS Authentication, we don't have a login page. When the
> session times out and a user tries to continue working (long lunch,
> etc), it throws an error something like "Session is in an invalid
> state" or something to that effect. I am sure that their session has
> timed out and they need to return to the main page and start over.
>
> My question to the group is....
>
> How can I redirect an asp.net application that uses Windows
> Authentication upon session timeout?
>
> I have seen alot of OLD posts stating that you should use Forms
> Authentication to do this or use the Meta tag REFRESH to handle it. I
> am an older coder which means I am lazy and want to do this the
> easiest way possible (and without checking out some 300 web forms from
> VSS).
>
> Any ideas?
>
> Thanks,
>
> Jamminjime
>



 
Reply With Quote
 
 
 
 
Kyle M. Burns
Guest
Posts: n/a
 
      09-21-2007
Have you considered using a global error handler for this? In your
Application level error event, you can check for this specific type and
redirect the user. You could either transport them to a page that's a valid
starting point for sessions or to an interstitial page that first informs
them that there session has timed out and then takes them to the valid
starting point.

"(E-Mail Removed)" wrote:

> Since all of the brightest at Microsoft seem to be in here, I will ask
> you guys this question.
>
> We have an intranet application using Windows Authentication. I was
> NOT in on writing it, I just have to squash the bugs. This
> application has a timeout set in the web.config file of xx minutes.
> USING WINDOWS Authentication, we don't have a login page. When the
> session times out and a user tries to continue working (long lunch,
> etc), it throws an error something like "Session is in an invalid
> state" or something to that effect. I am sure that their session has
> timed out and they need to return to the main page and start over.
>
> My question to the group is....
>
> How can I redirect an asp.net application that uses Windows
> Authentication upon session timeout?
>
> I have seen alot of OLD posts stating that you should use Forms
> Authentication to do this or use the Meta tag REFRESH to handle it. I
> am an older coder which means I am lazy and want to do this the
> easiest way possible (and without checking out some 300 web forms from
> VSS).
>
> Any ideas?
>
> Thanks,
>
> Jamminjime
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Timeout Issue with Windows XP SP2 =?Utf-8?B?RGF2aWRT?= ASP .Net 0 05-24-2005 02:59 PM
Timeout::timeout and Socket timeout Mark Probert Ruby 1 10-06-2004 09:30 AM
Session contents lost despite Session.Timeout = 3000; and <sessionState mode="InProc" cookieless="false" timeout="300"> Carpe Diem ASP .Net 3 02-23-2004 07:10 PM
web.config session timeout and forms authentication timeout Do ASP .Net 2 11-23-2003 02:27 PM
Re: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. Bob Johnson ASP .Net 0 08-07-2003 12:52 PM



Advertisments