Force timeout (logout)

[kplkumar]

Hi

I am doing a manual timeout, irrespective of whether the user is active
or not I will time them out after 3 hours. I also make sure the page is
not cached so that they can't go back to the page from which they were
timedout.

The problem now is that when they go back to their page(which says the
page has expired) and click on the refresh button in the browser they
are somehow authenticated and a new session is created.

I am trying to get them out of them system comepletely and force them
to login again. FYI, I am using integrated "Windows" authentication
mode.


My Global.asax
__________________________________________________________________

void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpSessionState state = HttpContext.Current.Session;
DateTime entryTime =
Convert.ToDateTime(state.Contents["EntryTime"]);
TimeSpan minutes = DateTime.Now.Subtract(entryTime);
if (minutes.TotalMinutes > 180)
{
state.Abandon();

Response.Redirect("http://10.1.1.24:8080/SoapTestWebApp/Timeout.aspx");

}
}

void Application_AcquireRequestState(object sender, EventArgs e)
{
HttpSessionState state = HttpContext.Current.Session;
if (state.Contents["EntryTime"] == null)
{
state.Add("EntryTime", DateTime.Now);
}
}

 

[Dot Net Jose]

Hi

Instead of using the session what I would to do is create a Cookie
called something like "FirstRequestData" with the value being the date
of the first request.

Then for every subsequent request, I would check to see if the date is
greater than 3 hours from the FirstRequestDate, then i would redirect
them to a timeout message page, otherwise ignore.

Now, if you want the clock to be reset every time they close the
browser, I wouldn't specify a value for the cookie expiration, that
will make it so that everytime the browser is closed completely, the
cookie will be deleted.

I hope that helps.

Jose

 

[kplkumar]

Jose

Thanks for the tip about using a cookie instead of session.

However, my problem is to make sure I force them to login again, when
they try to hit the back button.

 

[V]

Hi,

I wonder if this will help.
- You can use either Javascript to disable the back button by clearing
the history of the browser.
- You can use browser header tags, or even meta tags to control
client-side cache behavior and ensure no caching of your page is done.

Regards,
Vaibhav
www.nagarro.com

 

[kplkumar]

Hi Vaibhav

That is true. But to make sure that I don't cache the page, I could do
that in the aspx tag. That is no the issue here.

The issue is, although after hitting the back button the page shows
that it is expired, if the user hits the "Refresh" button in the
browser, for some reason the use is authenticated.
I beleive there is some kind of caching done by the client about the
credentials and it uses it for requesting the page on refresh.

 

[bruce barker \(sqlwork.com\)]

you are correct.

because you are using IIS authentication, every page request is
authenticated (no cookie is used - that's just used for session id). to keep
from asking credentials on every hit, the browser caches the credentials.

if you want them to see the login dialog box, you need to send a 401 error
even though the creditials are valid. you only want to do this once, or they
will not be able to access the site.

-- bruce (sqlwork.com)