Develop Reference

How to check reset session

In my application session is not reset if the user is active.
My session timeout time is 20min.
means: Let an user logged in to my application and doing some operation. That operation took 20 mins. then in the middle of the operation application showing session time out error and redirect to login page which in not good.
how to solve this problem.
How to reset the session when the user is active. If the user is inactive for 20 min then it should redirect to login page.
If the user is ideal for 15 min and after that user do some operation then the user should not redirect to login page.
I found some link to set from IIS label which is not working.
can you please help to solve this one.
Thanks in advance

if you are using forms authentication then following code will help.
<authentication mode="Forms">
<forms defaultUrl="FrmAbc.aspx" loginUrl="FrmLogin.aspx" protection="All" cookieless="UseCookies" slidingExpiration="true" timeout="1200" />
</authentication>

C# cookie based authorization

I am implementing C# authorization using jquery cookies for my page. I set/encrypt username and password in the cookie and in my admin page, if I recognize cookie, then the user is authorized. If not, he gets redirected to the login page. The problem is, that cookie is read after page is loaded, so I can manually hit admin page and only in couple seconds it will get redirected. How do I prevent loading admin page for visitors, who have no cookie yet? What is a correct architecture for cookie based authorization?
Note: I am not using ASP.NET roles or User tables. I implemented my own tables for users.

I suspect that you're re-inventing the wheel. You don't have to use the Membership Provider and ASP.Net membership schema in order to take advantage of forms authentication. When the user logs in, simply drop the Auth Ticket (cookie) on them and you're done. You can then simply do the admin check on the admin page.
Some suggestions below...
Edit: I originally posted a means of storing roles in the Auth Ticket via UserData, but I think it's overkill for this situation.
Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="30" slidingExpiration="true" />
</authentication>
. . .
<membership>
<providers>
<clear />
</providers>
</membership>
Post login:
When the user submits their username and password, validate them and check to see if they are an admin:
if (UserIsValid(username, pwd)) // some validation call
{
FormsAuthentication.SetAuthCookie(username, true);
}
Admin.aspx:
Finally, a quick hack to restrict access to an admin page. When the page loads, check that the user is / is not an admin:
if (!IsAdmin(User.Identity.Name)) // some admin call
Response.Redirect("Default.aspx");

The problem is, that you use client side code for your security check. If someone would disable JavaScript completely, he would never be redirected. Move the check to your server side code.

Session_End in Global.asax.cs not firing using forms authentication

I have an asp.net 4.0 application that is using forms authentication set to a timeout at 45 minutes. I would like to redirect the user to a timeout page when the session has expired. Can anyone tell me how to do this? I am running .net 4.0.
web.config has:
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx"
defaultUrl="~/Default.aspx" protection="All" timeout="45"
requireSSL="false">
</forms>
</authentication>
Global.asax.cs file has:
void Session_End(object sender, EventArgs e)
{
Response.Redirect("~/Timeout.aspx");
}

It's not possible to do a redirect in the Session_End method. It's not running as a result of a request, so it doesn't have a Response object and there is no response to redirect anywhere.
It's not possible to do anything in the browser as a result of the session expiring. The HTTP protocol is request oriented, so there is no way to push a message from the server to the browser without the browser asking for it.
The browser just can't find out if the session has expired or not. If you would poll the server to check if the session has expired, it would keep the session alive, defeating the purpose of the timeout.
You can make a redirect after 45 minutes using just client script:
window.setTimeout(function() {
window.location.href = '/Timeout.aspx';
}, 1000*45*60);
However, this will make the redirect only based on the time since this browser window last contacted the server. If you have more than one browser window for the same session, it's possible that the session has actually not timed out.

How is your session state implemented? Session_End only works when you are using InProc.
See http://www.eggheadcafe.com/articles/20021016.asp

On MVC you can adding this code in _ViewStart.cshtml
_ViewStart.cshtml:
#{
Response.AddHeader("Refresh",Convert.ToString((Session.Timeout * 60) + 5));
if(Session.IsNewSession)
Response.Redirect(“Logout.aspx");// or another page which you want.
}
How to Redirect on Session End

ASP.NET Authentication Questions

I use ASP.NET and ASP.NET Authentication.
I have a website with structure like:
ROOT
- CMS
- AdminCms
- web.conf*
- FORUM
- AdminForum
- web.conf*
- web.conf ***
Now in web.conf *** I use for CMS LOGIN PAGE
<authentication mode="Forms">
<forms loginUrl="~/Cms/AdminCms/Login.aspx" timeout="2880" />
</authentication>
My Questions:
How can I have another DEFAULT LOGIN PAGE for another folder? (if the user use for example FORUM).
Would be possible insert in web.conf* another
<authentication mode="Forms">
<forms loginUrl="~/Forum/AdminForum/Login.aspx" timeout="2880" />
</authentication>
Any ideas?

Based on my comment earlier - Forms authentication allows redirecting a user to different pages after a successful login. To enable this, the forms authentication keeps track of the original page a user came from in the ReturnUL request parameter to the login page.
In your case you could do something like this in the codebehind of your login page after a successful login:
string originalTarget = Request.Params["ReturnUrl"];
if(originalTarget != null)
{
if(originalTarget.Contains(#"/FORUM/")
Response.Redirect(someForumURL);
else
Response.Redirect(someCMSURL);
}
Edit: Here also a link to an article - Forms Authentication - Redirecting users to a Page other than Default.aspx

If you mark both the folders, CMD and Forum as an application in IIS, you can easily do this since both of them will be a separate application domain.

ASP.NET/IIS: Log out all users

In an ASP.NET 3.5 application running on IIS, how do I force a "deauthentication" of all currently logged-in and authenticated users?
iisreset didn't seem to do the trick!

Changing the authentication form name will then require new authentication from all users.
From:
<authentication mode="Forms">
<forms name="originalName" loginUrl="~/Account/Login" />
</authentication>
To:
<authentication mode="Forms">
<forms name="differentName" loginUrl="~/Account/Login" />
</authentication>

ASP.NET authentication is designed to be resilient to an IISReset due to its use of cookies - performing an IISReset will clear any in-memory information, but the next time a user asks for a page on your site, they will send their authentication token, which (if it hasn't timed out) will still be valid, and the server will re-authenticate them.
You could write something that would effectively log out the user after a restart, by (for example) storing the application start time in a global variable in Application_Start, and then comparing the users LastActivityDate with that value - if it's before the start time, then you can call the appropriate sign-out method during Application_SessionStart or Application_BeginRequest.