Auth Cookie expiration in .Net

Question

I'm working on an app using ASP.Net's form authentication. The client also makes RESTfull calls to the server (ExtJS components on front end).

We are using a custom HttpHandler for the service calls.

My problem is that anytime the anytime the authentication cookie expires my HttpHandler 's ProcessRequest method isn't called in order for me to check for the cookie's absence and redirect the user to log in again.

An example would be a user leaves a page open then comes back in 20 mins and clicks on a dropdown that is loaded asynchronously. The app just hangs never getting to my handler.

Any thoughts?

Answer 1

Highly suggest reading the section entitled "The Pipeline Event Model" in this MSDN magazine article: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET.

In a nutshell, authentication is performed well before the request is handed over to ProcessRequest() in your HttpHandler. If you need to handle these cases, you will need to hook into the pipeline events (such as BeginRequest or Authenticate Request) and add your own handlers, like so:

public class EnableWebServicesModule : 
               IHttpModule
  {

    public void Init(HttpApplication app)
    {
      // register event handler
      app.BeginRequest +=  new EventHandler(this.OnBeginRequest);
    }

    public void OnBeginRequest(object obj, EventArgs ea)
    {
      // Check if security works here by looking for the cookie or
      // the user context.

    }

    ...
}

For further reading on this fascinating and exciting topic, check Rich Strahl's walkthrough: A low-level Look at the ASP.NET Architecture