![]() Also if we found user is not authenticated any more then used to clear and abandon the session and redirects the user to login page. To avoid any unprecedented event like above, I put a check for an authentication and session on every page, So that user cannot continue further if session or authentication is not valid. Other scenario, If some how IIS gets reset the sessions of the users connected to that web server will become invalid while the user authentication will still be valid. Sometimes there are some performance improvement has been done which resets on the counter only at certain points say if after 5 or 7 minutes as to reset the authentication timeout on very request is costly. Like if have authentication timeout for 10 minutes, the authentication timeout counter does not get reset on every request to 10 minutes. Like Session gets time out if the last request made was 10 (in my example session timeout is 10 minutes) or more minutes and on every request the counter get resets for 10 minutes but Authentication timeout does not work in same ways in different browsers. This is just first step to avoid the discrepancy between the timeout of Authentication and Session.īut at certain browsers, it behaves differently. So normally we put the authentication time out and same time out as same. But I’ll be still authenticated and able to browse application even my session expired and got recreated and my existing session data will be lost. As my session time out is 10 mins while my authentication time out is 15 mins. After browsing for 5 mins, I left it for around 12 mins and my session got timeout. Normally, we set authentication time out and session timeout same but what may happen if we haveĪs you can see in the above scenario, I have set session time out is less than authentication timeout. Normally in our application, as soon as user clicks on sign out, we used to kill session. So these two are separate modules and works independently. For session handling we have SessionStateModule which is available under the namespace and various Authentication mechanism in ASP.NET like Form Authentication is also available via a HTTPModule FormsAuthenticationModule which is under the namespace. ![]() Session and Authentication are also developed as HTTPModules. Many features of ASP.NET are developed as HTTP Module. We can show it pictorially asĪs you can see, An asp.net request goes through many HTTPModules and finally served by a HTTPHandler. Authentication works separately.Īs you know, A user request any Page, It goes through many HTTPModules and lastly served by a HTTPHandler. Session start and expire does not have any connection with authentication start and authentication timeout. So if your website does not have a check on session expiration before Login then it wont be visible to your user and even if user Logins after the specified amount of time, A new session will be created.īut so many people get confused about authentication and session. So it does not matter whether you Login or not, session will be expired after the specified amount of time. So as you can see above, as soon as user accesses the site and the first page gets opened, the countdown of the session timeout starts. So first let me explain, how session works So I thought of writing a blog post on it. I have also found many other developers have same question. Some of my colleagues was saying, how a session can expire even before successfully login. I have myself seen to many application where I open the Login page and after sometime when I enter my Login details but it redirects me to session expired page. I analyzed that Issue and found that users used to open the website first page which is obviously the Login page and some of them left the page for a while around 15 or more minutes and after that they when they again back to system, used to enter the credentials and click on login button, it redirects them to session expired page. Later, user can click on login link and redirected to Login page. In that application, We developed a generic methodology, then whenever a user clicks on any action that requires a post back, it first checks whether session is expired or not and if expired then redirects to a custom session expired page. They said that they get redirected to session expired page even before they actually Login. In my starting phase of Career, My client reported me a peculiar issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |