All geek questions in one place

How to make both rolling and absolute timeout in asp.net form authentication

I have an asp.net application that currently uses authentication with slideExpiration = "true". In web.config we have the following:

<authentication mode="Forms"> <forms loginUrl="Mylogin.aspx" timeout="15" slidingExpiration="true"/> </authentication>

It is all to the specification: a rolling 15 minute expiration occurs. However, now we have a new security requirement: users must re-authenticate every 24 hours, even if they have been “active” all the time. In other words, even if you clicked a link on a site every minute within 24 hours immediately after logging in, after 24 hours you will be automatically logged out and redirected to the login page.

But slideExpriation is true / false. As far as I can tell, there is no “both” function (for example, slideExpirationTimeout = "15" and absoluteExpirationTimeout = "1440" have a value).

Except for my own solution, is there a way to implement this with built-in forms authentication?

Thanks in advance.

+4
source share
1 answer

You can start a new session from the current time, when the user session starts in the Global.asax file, then with each subsequent request compare the value of the session with the current time until it becomes = = current time.

 void Application_AcquireRequestState(object sender, EventArgs e) { if (HttpContext.Current.Session != null) { DateTime started = (DateTime)HttpContext.Current.Session["SessionStarted"]; DateTime current = DateTime.Now; double totalHours = started.Subtract(current).TotalHours; if (totalHours >= 24) { //end session } } } void Session_Start(object sender, EventArgs e) { // Code that runs when a new session is started Session["SessionStarted"] = DateTime.Now; }

HttpApplication.AcquireRequestState Event

Occurs when ASP.NET receives the current state (for example, session state) associated with the current request.

+1
source

Source: https://habr.com/ru/post/1497465/

More articles:


All Articles