A
Andy Fish
Hi,
I have an asp.net web app whereby I authenticate the user with Forms
Authentication and store details about him in the session. I want to be able
to catch an event when the users authentication period expires but I can't
see any way to do this.
Currently I have set the forms authentication expiry shorter than the
session expiry because I don't want a user logged in if his session details
are invalid. I was thinking of setting the two timeouts to the same thing,
then I could catch the session_end event. However, to avoid the race
condition of having session_end happen before the forms authentication
timeout, I would want to force the user to get logged off in the session_end
event, but calling FormsAuthentication.SignOut() in the session_end event
would presumably not work. It's not really clear to me how the static
methods in FormsAuthentication get their context (i.e. when calling
SignOut() how does it know which user to sign out?)
It seems to me that most people using forms authentication would want to tie
the session period in with the authenticated period and avoiding all the
race conditions - has anyone found a sensible way to do this.
Andy
I have an asp.net web app whereby I authenticate the user with Forms
Authentication and store details about him in the session. I want to be able
to catch an event when the users authentication period expires but I can't
see any way to do this.
Currently I have set the forms authentication expiry shorter than the
session expiry because I don't want a user logged in if his session details
are invalid. I was thinking of setting the two timeouts to the same thing,
then I could catch the session_end event. However, to avoid the race
condition of having session_end happen before the forms authentication
timeout, I would want to force the user to get logged off in the session_end
event, but calling FormsAuthentication.SignOut() in the session_end event
would presumably not work. It's not really clear to me how the static
methods in FormsAuthentication get their context (i.e. when calling
SignOut() how does it know which user to sign out?)
It seems to me that most people using forms authentication would want to tie
the session period in with the authenticated period and avoiding all the
race conditions - has anyone found a sensible way to do this.
Andy