Forms Authentication Timeout vs Session Timeout
来源:互联网 发布:2018最新seo基础教程 编辑:程序博客网 时间:2024/05/29 11:54
We have an old .NET 1.1 web application which I have to support and a recent change in the login process for a select few customers has been causing haywire with every users session. The folks at QA have been giving me a really hard time lately with this bug and I just couldn’t get around as to what was causing this weird behavior.
The problem was that if we set the forms authentication and session timeouts to 10 minutes and after the 10th minute the user clicked on any link the app would redirect the user to the login page but the session was not abandoned i.e. the forms authentication ticket had expired but not the session state timeout. To make matters worse I was unable to reproduce it on DEV or QA instance with my automated test script but was able to reproduce it by manually following the steps.
After a lot of googling I finally realized the solution was right there and I had just overlooked it. The problem was in the way timeouts work for authentication tickets vs session state.
Forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, you set an expiration of 20 minutes, and a user visits the site at 2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM. Even if the user visited some pages in between 2:00 PM and 2:20 PM the user will still be redirected to the login page after 2:20 PM.
Now if you are using sliding expiration for forms authentication and session state the scenario gets a bit complicated.With sliding expiration the session state timeout is updated on every visit but the cookie and the resultingauthentication ticket are updated if the user visits the site after the expiration time is half-expired.
For example, you set an expiration of 20 minutes for forms authentication ticket and session state and you set sliding expiration to true. A user visits the site at 2:00 PM, and the user receives a cookie that is set to expire at 2:20 PM. The authentication ticket expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:08 PM, the authentication ticket is not updated but the session state timeout is updated and the session now expires at 2:28 PM. If the user then waits 12 minutes, visiting the site at 2:21 PM, the authentication ticket will be expired and the user is redirected to the login page, but guess what, the session timeout has not yet expired.
Here is the MSDN link which explains this
http://support.microsoft.com/kb/910439
So, how do we synch these two timeouts? Or force the other to timeout if one of them expires? The workaround we came up with was to set the authentication timeout to double the value of session timeout and have the following code in the global.asax.cs.
{
if(Session!= null && Session.IsNewSession)
{
string szCookieHeader= Request.Headers["Cookie"];
if((szCookieHeader!= null)&& (szCookieHeader.IndexOf("ASP.NET_SessionId")>= 0))
{
if(User.Indentity.IsAuthenticated)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
}
- Forms Authentication Timeout vs Session Timeout
- session timeout
- timeout
- timeout
- timeout
- Timeout
- timeout
- MAXDB Session inactivity timeout
- session.timeout的设置
- Session对象的Timeout属性
- Session.Timeout的最大最小值
- 应用服务器的Session timeout
- python session过期timeout处理
- memcached session共享Timeout异常
- the parameter of session timeout
- $apply vs $timeout vs $digest vs $evalAsync
- sap portal 的session timeout以及jsessionid timeout的设置
- session-timeout 设置session的有效时间
- 技术人员如何创业《一》—— 产品及想法
- 网络编程浅析(附加源码)
- 在vs2010配置及删除opencv的 环境目录
- Kalilinux-vm安装问题
- Oracle字符集
- Forms Authentication Timeout vs Session Timeout
- 从程序员到项目经理(16):原来一切问题都是可以解决的
- 记录
- javax.el.PropertyNotFoundException: Property 'id' not found on type java.lang.String
- [转载]学习SNMP必须了解的几个概念
- 旺旺 QQ的聊天记录(含图片)保存到自己的服务器
- Exception sending context initialized event to listener instance of class org.springframew
- JAVA的String类
- 移动应用开发部,实施敏捷开发3个月后的一些经验和教训。