how to prevent auth ticket expiration

[Perecli Manole]

In the forms authentication construct, I need a way to prevent ticket
IssueDate and Expiration from being updated for a specific page only. By
default forms authentication updates these two values whenever a page is
requested and slides these values forward. Is there any way to forgo this
proccess just for a specific page.

I need this because this page is requested behind the scenes cheking for
reminders for an Intranet application. Since this is done every minute the
user Login never expires which is not desirable.

Thanks
Perry

 

[Brock Allen]

Can make that page in a different application (one where Forms Auth is disabled)?

 

[Perecli Manole]

Tried this and it does not work.
The browser gives me a cross domain warning every time the page is accesses
which is not acceptable.
This occurs because this page is called through the XMLHTTPRequest client
javascript object.

Perry

 

[Brock Allen]

Did you create a new virtual directory in the same site? It can even be nested
under the app you're already using. XMLHTTPRequest wouldn't know of that
server side distinction.

 

[Perecli Manole]

Ok, I have followed your advice and it doesn't work.
I made a subdirectory of my main application directory. In IIS console I
made that subdirectory into an application of its own. That did not work as
is.
So I did more research and it looks like you need a global.asa and a
web.config in there too. I copied the two files from the main application to
the subdirectory and change the tag <authentication mode="None"> in the
web.config of the sub application. That gave me a criptic error, "Could not
load type 'MySubWebApp.MyPage'
With more investigation I found out that some tags one of which is
<authentication> can only be present in the root and can not be overriden by
a sub app.
I also read in some newsgroups that pages that are compiled in the same DLL
can only use one web.config because of something having to do with the
proccess. Don't know if this is true. I need this because both sides share
common libraries.

Maybe there is another way to prevent the auth ticket from updating for a
specified page. Can't this process be intercepted and overriden in some
place?

Thanks
Perry

 

[Brock Allen]

So I did more research and it looks like you need a global.asa and a

web.config in there too. I copied the two files from the main
application to
the subdirectory and change the tag <authentication mode="None"> in
the
web.config of the sub application.

Yes, good step, except you're not going to want most of the settings from

That gave me a criptic error,
"Could not
load type 'MySubWebApp.MyPage'

Yeah, something in web.config fot the nested application is referencing something
it doesn't need.

With more investigation I found out that some tags one of which is
<authentication> can only be present in the root and can not be
overriden by
a sub app.

Many things in web.config can't be overridden by a child directory. Most
things can be overrideed by a child application, which you've created.

Maybe there is another way to prevent the auth ticket from updating
for a specified page. Can't this process be intercepted and overriden
in some place?

Actually, there is one other idea. The FormsAuthModule fires a OnAuthenticate
event which you can use to specify the user. If you specify a method:

void FormsAuthentication_Authenticate(object s, FormsAuthenticationEventArgs
e)
{
if (HttpContext.Current.Request.Path == "ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty, string.Empty),
new string[0]);
}
}

If you specify the identity, it won't be read from the forms auth cookie,
and you won't get the extention of the cookie timeout. I don't know why I
didn't think of this earlier.

 

[Perecli Manole]

I searched the whole MSDN library and there is no OnAuthenticate event. This
is a good idea but how do I override this event and where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I have no
idea how to implement this. It does not even show in the methods that can be
overriden in the IDE. It passes two delegates and this async stuff makes me
shudder. I could not find any examples of how this works.

Thanks
Perry

Maybe there is another way to prevent the auth ticket from updating
for a specified page. Can't this process be intercepted and overriden
in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If you specify
a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path == "ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}

If you specify the identity, it won't be read from the forms auth cookie,
and you won't get the extention of the cookie timeout. I don't know why I
didn't think of this earlier.

 

[Brock Allen]

The event handler goes in global.asax. Modules that fire events can have
those events handled in global.asax via ModuleName_EventName syntax. Here's
the event decl:

http://msdn.microsoft.com/library/d...onmoduleclassauthenticatetopic.asp?frame=true

I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and where
is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I have
no idea how to implement this. It does not even show in the methods
that can be overriden in the IDE. It passes two delegates and this
async stuff makes me shudder. I could not find any examples of how
this works.

Thanks
Perry

Maybe there is another way to prevent the auth ticket from updating
for a specified page. Can't this process be intercepted and
overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If you
specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path == "ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Perecli Manole]

Ok I got the event in the global.asax and it does fire however this is just
an event not an override so unfortunately the expiration timeout is still
refreshed since the MS Authenticate code is still executing. Not only that
but setting the e.User as you have in the example makes that page get
redirected to the login screen because it fails authentication.

Got any more ideas?

Thanks
Perry

The event handler goes in global.asax. Modules that fire events can have
those events handled in global.asax via ModuleName_EventName syntax.
Here's the event decl:

http://msdn.microsoft.com/library/d...onmoduleclassauthenticatetopic.asp?frame=true

I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and where
is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I have
no idea how to implement this. It does not even show in the methods
that can be overriden in the IDE. It passes two delegates and this
async stuff makes me shudder. I could not find any examples of how
this works.

Thanks
Perry

Maybe there is another way to prevent the auth ticket from updating
for a specified page. Can't this process be intercepted and
overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If you
specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path == "ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Brock Allen]

Are you sure setting e.User = something doesn't work? Here's the code from
the FormsAuthModule where it renews the ticket:

private void OnAuthenticate(FormsAuthenticationEventArgs e)
{
HttpCookie cookie1 = null;
if (this._eventHandler != null)
{
this._eventHandler(this, e);
}
if ((e.Context.User != null) || (e.User != null))
{
e.Context.User = (e.Context.User == null) ? e.User : e.Context.User;
}
else
{
// does the work to renew the ticket
}
}

the line where it calls "this._eventHandler(this, e);" should be your code
in global.asax. So inspecting this code says to me that if the event assigns
a User then there's no need to renew the ticket.

Ok I got the event in the global.asax and it does fire however this is
just an event not an override so unfortunately the expiration timeout
is still refreshed since the MS Authenticate code is still executing.
Not only that but setting the e.User as you have in the example makes
that page get redirected to the login screen because it fails
authentication.

Got any more ideas?

Thanks
Perry

The event handler goes in global.asax. Modules that fire events can
have those events handled in global.asax via ModuleName_EventName
syntax. Here's the event decl:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpre
f/html/frlrfsystemwebsecurityformsauthenticationmoduleclassauthentica
tetopic.asp?frame=true

I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and
where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I
have no idea how to implement this. It does not even show in the
methods that can be overriden in the IDE. It passes two delegates
and this async stuff makes me shudder. I could not find any examples
of how this works.

Thanks
Perry
Maybe there is another way to prevent the auth ticket from
updating for a specified page. Can't this process be intercepted
and overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If you
specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path ==
"ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Perecli Manole]

Here is the code exactly as I have it in the global.asax.

Sub FormsAuthentication_OnAuthenticate(ByVal s As Object, ByVal e As
FormsAuthenticationEventArgs)
If HttpContext.Current.Request.Path = "/ArgoWeb/ReminderCheck.aspx"
Then
e.User = New GenericPrincipal(New GenericIdentity(String.Empty,
String.Empty), New String() {""})
End If
End Sub

I stepped through it and the function does get called on every page and the
IF statement does give way on the correct page.
The expiration ticket however still gets refreshed when I inspect it in the
OnLoad event of the "ReminderCheck.aspx" page. Both IssuedDate and
ExpireDate get new values on every request. I have tested this with 2 min
login timeout and "ReminderCheck.aspx" being called every 5 seconds to
expedite the test.

How do you know what code is in the OnAuthenticate() method? Isn't that
compiled in the MS library? Is there away to override this method?

Thanks
Perry

Are you sure setting e.User = something doesn't work? Here's the code from
the FormsAuthModule where it renews the ticket:

private void OnAuthenticate(FormsAuthenticationEventArgs e)
{
HttpCookie cookie1 = null;
if (this._eventHandler != null)
{
this._eventHandler(this, e);
}
if ((e.Context.User != null) || (e.User != null))
{
e.Context.User = (e.Context.User == null) ? e.User :
e.Context.User;
}
else
{
// does the work to renew the ticket
}
}

the line where it calls "this._eventHandler(this, e);" should be your code
in global.asax. So inspecting this code says to me that if the event
assigns a User then there's no need to renew the ticket.

Ok I got the event in the global.asax and it does fire however this is
just an event not an override so unfortunately the expiration timeout
is still refreshed since the MS Authenticate code is still executing.
Not only that but setting the e.User as you have in the example makes
that page get redirected to the login screen because it fails
authentication.

Got any more ideas?

Thanks
Perry

The event handler goes in global.asax. Modules that fire events can
have those events handled in global.asax via ModuleName_EventName
syntax. Here's the event decl:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpre
f/html/frlrfsystemwebsecurityformsauthenticationmoduleclassauthentica
tetopic.asp?frame=true


I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and
where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I
have no idea how to implement this. It does not even show in the
methods that can be overriden in the IDE. It passes two delegates
and this async stuff makes me shudder. I could not find any examples
of how this works.

Thanks
Perry
Maybe there is another way to prevent the auth ticket from
updating for a specified page. Can't this process be intercepted
and overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If you
specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path ==
"ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Brock Allen]

Ok, I'll have to setyp a test later to see if I can get this to work. As
for looking at the MS code, it's all there to see witih reflector:

http://www.aisto.com/roeder/dotnet/

Here is the code exactly as I have it in the global.asax.

Sub FormsAuthentication_OnAuthenticate(ByVal s As Object, ByVal e
As
FormsAuthenticationEventArgs)
If HttpContext.Current.Request.Path =
"/ArgoWeb/ReminderCheck.aspx"
Then
e.User = New GenericPrincipal(New
GenericIdentity(String.Empty,
String.Empty), New String() {""})
End If
End Sub
I stepped through it and the function does get called on every page
and the
IF statement does give way on the correct page.
The expiration ticket however still gets refreshed when I inspect it
in the
OnLoad event of the "ReminderCheck.aspx" page. Both IssuedDate and
ExpireDate get new values on every request. I have tested this with 2
min
login timeout and "ReminderCheck.aspx" being called every 5 seconds to
expedite the test.
How do you know what code is in the OnAuthenticate() method? Isn't
that compiled in the MS library? Is there away to override this
method?

Thanks
Perry

Are you sure setting e.User = something doesn't work? Here's the code
from the FormsAuthModule where it renews the ticket:

private void OnAuthenticate(FormsAuthenticationEventArgs e)
{
HttpCookie cookie1 = null;
if (this._eventHandler != null)
{
this._eventHandler(this, e);
}
if ((e.Context.User != null) || (e.User != null))
{
e.Context.User = (e.Context.User == null) ? e.User :
e.Context.User;
}
else
{
// does the work to renew the ticket
}
}
the line where it calls "this._eventHandler(this, e);" should be your
code in global.asax. So inspecting this code says to me that if the
event assigns a User then there's no need to renew the ticket.

Ok I got the event in the global.asax and it does fire however this
is just an event not an override so unfortunately the expiration
timeout is still refreshed since the MS Authenticate code is still
executing. Not only that but setting the e.User as you have in the
example makes that page get redirected to the login screen because
it fails authentication.

Got any more ideas?

Thanks
Perry
The event handler goes in global.asax. Modules that fire events can
have those events handled in global.asax via ModuleName_EventName
syntax. Here's the event decl:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cp
re
f/html/frlrfsystemwebsecurityformsauthenticationmoduleclassauthenti
ca tetopic.asp?frame=true


I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and
where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I
have no idea how to implement this. It does not even show in the
methods that can be overriden in the IDE. It passes two delegates
and this async stuff makes me shudder. I could not find any
examples of how this works.

Thanks
Perry
Maybe there is another way to prevent the auth ticket from
updating for a specified page. Can't this process be intercepted
and overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If
you specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path ==
"ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Perecli Manole]

Hmm.. interesting about the reflector. I have tried out this tool before and
did not know it had a decompiler.

Anyway I appreciate time time you have taken answering my questions and
trying to help me out. I will be looking forward to your findings on yout
test.

Thanks
Perry

Ok, I'll have to setyp a test later to see if I can get this to work. As
for looking at the MS code, it's all there to see witih reflector:

http://www.aisto.com/roeder/dotnet/

Here is the code exactly as I have it in the global.asax.

Sub FormsAuthentication_OnAuthenticate(ByVal s As Object, ByVal e
As
FormsAuthenticationEventArgs)
If HttpContext.Current.Request.Path =
"/ArgoWeb/ReminderCheck.aspx"
Then
e.User = New GenericPrincipal(New
GenericIdentity(String.Empty,
String.Empty), New String() {""})
End If
End Sub
I stepped through it and the function does get called on every page
and the
IF statement does give way on the correct page.
The expiration ticket however still gets refreshed when I inspect it
in the
OnLoad event of the "ReminderCheck.aspx" page. Both IssuedDate and
ExpireDate get new values on every request. I have tested this with 2
min
login timeout and "ReminderCheck.aspx" being called every 5 seconds to
expedite the test.
How do you know what code is in the OnAuthenticate() method? Isn't
that compiled in the MS library? Is there away to override this
method?

Thanks
Perry

Are you sure setting e.User = something doesn't work? Here's the code
from the FormsAuthModule where it renews the ticket:

private void OnAuthenticate(FormsAuthenticationEventArgs e)
{
HttpCookie cookie1 = null;
if (this._eventHandler != null)
{
this._eventHandler(this, e);
}
if ((e.Context.User != null) || (e.User != null))
{
e.Context.User = (e.Context.User == null) ? e.User :
e.Context.User;
}
else
{
// does the work to renew the ticket
}
}
the line where it calls "this._eventHandler(this, e);" should be your
code in global.asax. So inspecting this code says to me that if the
event assigns a User then there's no need to renew the ticket.


Ok I got the event in the global.asax and it does fire however this
is just an event not an override so unfortunately the expiration
timeout is still refreshed since the MS Authenticate code is still
executing. Not only that but setting the e.User as you have in the
example makes that page get redirected to the login screen because
it fails authentication.

Got any more ideas?

Thanks
Perry
The event handler goes in global.asax. Modules that fire events can
have those events handled in global.asax via ModuleName_EventName
syntax. Here's the event decl:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cp
re
f/html/frlrfsystemwebsecurityformsauthenticationmoduleclassauthenti
ca tetopic.asp?frame=true


I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and
where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but I
have no idea how to implement this. It does not even show in the
methods that can be overriden in the IDE. It passes two delegates
and this async stuff makes me shudder. I could not find any
examples of how this works.

Thanks
Perry
Maybe there is another way to prevent the auth ticket from
updating for a specified page. Can't this process be intercepted
and overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If
you specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path ==
"ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms auth
cookie, and you won't get the extention of the cookie timeout. I
don't know why I didn't think of this earlier.

 

[Brock Allen]

Well, I just tried it and it worked like a charm. Is it possible that there's
another request being made to the server which is resetting your timeout?
If you want my sample I used to test, just email me.

Hmm.. interesting about the reflector. I have tried out this tool
before and did not know it had a decompiler.

Anyway I appreciate time time you have taken answering my questions
and trying to help me out. I will be looking forward to your findings
on yout test.

Thanks
Perry

Ok, I'll have to setyp a test later to see if I can get this to work.
As for looking at the MS code, it's all there to see witih reflector:

http://www.aisto.com/roeder/dotnet/

Here is the code exactly as I have it in the global.asax.

Sub FormsAuthentication_OnAuthenticate(ByVal s As Object, ByVal e
As
FormsAuthenticationEventArgs)
If HttpContext.Current.Request.Path =
"/ArgoWeb/ReminderCheck.aspx"
Then
e.User = New GenericPrincipal(New
GenericIdentity(String.Empty,
String.Empty), New String() {""})
End If
End Sub
I stepped through it and the function does get called on every page
and the
IF statement does give way on the correct page.
The expiration ticket however still gets refreshed when I inspect it
in the
OnLoad event of the "ReminderCheck.aspx" page. Both IssuedDate and
ExpireDate get new values on every request. I have tested this with
2
min
login timeout and "ReminderCheck.aspx" being called every 5 seconds
to
expedite the test.
How do you know what code is in the OnAuthenticate() method? Isn't
that compiled in the MS library? Is there away to override this
method?
Thanks
Perry
Are you sure setting e.User = something doesn't work? Here's the
code from the FormsAuthModule where it renews the ticket:

private void OnAuthenticate(FormsAuthenticationEventArgs e)
{
HttpCookie cookie1 = null;
if (this._eventHandler != null)
{
this._eventHandler(this, e);
}
if ((e.Context.User != null) || (e.User != null))
{
e.Context.User = (e.Context.User == null) ? e.User :
e.Context.User;
}
else
{
// does the work to renew the ticket
}
}
the line where it calls "this._eventHandler(this, e);" should be
your
code in global.asax. So inspecting this code says to me that if the
event assigns a User then there's no need to renew the ticket.

Ok I got the event in the global.asax and it does fire however
this is just an event not an override so unfortunately the
expiration timeout is still refreshed since the MS Authenticate
code is still executing. Not only that but setting the e.User as
you have in the example makes that page get redirected to the
login screen because it fails authentication.

Got any more ideas?

Thanks
Perry
The event handler goes in global.asax. Modules that fire events
can have those events handled in global.asax via
ModuleName_EventName syntax. Here's the event decl:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
cp re
f/html/frlrfsystemwebsecurityformsauthenticationmoduleclassauthen
ti ca tetopic.asp?frame=true


I searched the whole MSDN library and there is no OnAuthenticate
event. This is a good idea but how do I override this event and
where is this event?

The closest I could find is "AddOnAuthenticateRequestAsync" but
I have no idea how to implement this. It does not even show in
the methods that can be overriden in the IDE. It passes two
delegates and this async stuff makes me shudder. I could not
find any examples of how this works.

Thanks
Perry
Maybe there is another way to prevent the auth ticket from
updating for a specified page. Can't this process be
intercepted and overriden in some place?

Actually, there is one other idea. The FormsAuthModule fires a
OnAuthenticate event which you can use to specify the user. If
you specify a method:

void FormsAuthentication_Authenticate(object s,
FormsAuthenticationEventArgs e)
{
if (HttpContext.Current.Request.Path ==
"ThePathIWantToIgnore.aspx")
{
e.User = new GenericPrincipal(new GenericIdentity(string.Empty,
string.Empty), new string[0]);
}
}
If you specify the identity, it won't be read from the forms
auth
cookie, and you won't get the extention of the cookie timeout.
I
don't know why I didn't think of this earlier.