Windows Authentication/Session Timeout issue

[jamminjime]

Since all of the brightest at Microsoft seem to be in here, I will ask
you guys this question.

We have an intranet application using Windows Authentication. I was
NOT in on writing it, I just have to squash the bugs. This
application has a timeout set in the web.config file of xx minutes.
USING WINDOWS Authentication, we don't have a login page. When the
session times out and a user tries to continue working (long lunch,
etc), it throws an error something like "Session is in an invalid
state" or something to that effect. I am sure that their session has
timed out and they need to return to the main page and start over.

My question to the group is....

How can I redirect an asp.net application that uses Windows
Authentication upon session timeout?

I have seen alot of OLD posts stating that you should use Forms
Authentication to do this or use the Meta tag REFRESH to handle it. I
am an older coder which means I am lazy and want to do this the
easiest way possible (and without checking out some 300 web forms from
VSS).

Any ideas?

Thanks,

Jamminjime

 

[Joe Kaplan]

Authentication and session state are not related with either forms auth or
window auth. Session state is maintained via a cookie. With forms auth, a
different cookie is used (with potentially a different timeout), while with
Windows auth, the authentication state is maintained with different headers.

When you are using Windows auth, your authentication doesn't become invalid
if your session state times out. You are still authenticated. You just need
to anticipate in your code that your session data that you need might not be
there and return the user to a known safe starting place.

One way to do this would be simply check if the session data you need isn't
there and then redirect to where you need to be to get to a known good
state. You can also do some fancier stuff using global.asax events to check
for session start events in places where a new session should not be started
and handle the problem from there.

Another thing to consider is to avoid using session state in the first
place. Users tend to hate it as they can't go to lunch without losing the
work they were in the middle of doing (unless you use very long timeouts,
although that just disguises the problem). Use other state management
techniques like cookies, query strings, form fields/view state or
persistence of intermediate data to your database.

Joe K.

 

[Kyle M. Burns]

Have you considered using a global error handler for this? In your
Application level error event, you can check for this specific type and
redirect the user. You could either transport them to a page that's a valid
starting point for sessions or to an interstitial page that first informs
them that there session has timed out and then takes them to the valid
starting point.