Web forms authentication - intercepting the auto timeout event

Question

0.00/5 (No votes)

See more:

I need to intercept a web forms timeout event to trigger my own code.
How to do this?

What I have tried:

I have a website using Forms Authentication for user logins.
This is all working nicely but I want to include the ability to reject a logon if a user is already logged in. ie reject concurrent logons from 2 PC's.

To do this I have appended a 'LoggedIn' column to the SQL aspnet_Users table.
The asp:Login's 'LoginUser_LoggedIn' event writes a 1 to the LoggedIn column and further login attempts check this value before allowing access.

When the user logs off, the asp:LoginView's 'HeadLoginStatus_LoggedOut' event writes a 0 to the table to reverse the login.

As I said this is all working fine.

The problem I have is that when the forms automatic timeout is triggered, obviously the table is not updated to reflect the logout. I need to intercept the forms timeout event so as to update the users table.
How?

Here's the Forms code from the web.config file

<authentication mode="Forms">      
      <forms name=".ASPXAUTH" loginUrl="~/Account/Login.aspx" protection="All" timeout="240" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>

Posted 12-Nov-19 10:33am

Member 11709930

Updated 12-Nov-19 22:12pm

v4

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

MadMyche · Answer 1 · 2019-11-12T11:38:00

Solution 1

What you want to do is to utilize the Session End event to update our SQL table

Session_Start and Session_End | The ASP.NET Forums[^]

Posted 12-Nov-19 11:38am

MadMyche

Comments

Member 11709930 12-Nov-19 18:40pm

Thanks but I'm after the Forms Timeout which logs off the user.
Session timeout is somewhat different.

MadMyche 13-Nov-19 7:57am

I understand that; the only problem is there really is no documentation for a "Forms Timeout Event".
What you can do is utilize the SessionID along with the Token to set/reset your LoggedIn status.

Most likely you will need to do this within an HttpModule, which has events for AuthenticateRequest and AuthorizeRequest; and if the SessionID-Token pair is "broken" then you kill the login.

IF I have some spare time today, I will see if I can find some info or code... just consider this a starting point

Member 11709930 13-Nov-19 15:01pm

Appreciate your help MadMyche as I'm way out of my experience depth with this.

F-ES Sitecore · Answer 2 · 2019-11-12T22:13:00

Solution 2

Things you shouldn't spend time doing | The ASP.NET Forums[^]

Posted 12-Nov-19 22:13pm

F-ES Sitecore

Comments

Member 11709930 13-Nov-19 14:35pm

I agree with that up to a point.
In my case, I am restricting users so as to avoid having to buy a large number of SQL CAL's.

F-ES Sitecore 14-Nov-19 4:39am

In a web server there is only one thing accessing SQL and that is the web server, no matter how many users you have. I don't know a lot about licensing but it seems to me your actual issue is getting the right\appropriate license. I believe there are web specific licenses for SQL Server. In addition to all of that, being logged in or not does not define access. You're still a "client" if you are not logged in.