PartialView Render Forms timeout

Question

I'm fetching a partial view via $.ajax() and in the situation where you set idle for 30 minutes and then try to fetch that partial view, the forms authentication has timed out and instead of getting my partial view returned to me, I'm getting the login page render into my .

Any suggestions on how to deal with a situation like this?

Thank you.

$(function () {
    $("#addContact").click(function () {
        $.get('/Contacts/Add', function (data) {
            $("#content").html(data);  <--gets login page as data
        });
    });
});

Answer 1

It depends a little on if you're ok with changing the length of time users will be logged in for. If you are, you can change your config file to something like the following...

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" timeout="512640" />
</authentication>

This will keep users logged in for one year. If changing the amount of time users are logged in is not an option, you would need to handle the ajax response and redirect users to a login form again.

Answer 2

Does your Add Action have any non-Ajax consumers? If not, I'd suggest removing the [Authorize] attribute from the action, which would remove the timeout-redirect problem. (If you have your entire controller decorated with [Authorize], you'd need to remove the controller-level attribute and adorn all of your other actions. Annoying, I know).

For extra security, you could then do something like this to prevent non-Ajax calls from calling your Add action.

    public ActionResult Add()
    {
        if (Request.IsAjaxRequest())
            return View("Error");

        return View();
    }

If, on the other hand, your Add action needs to support Ajax and normal calls, one way you can address this issue is to create a new Attribute class that inherits from and overrides AuthorizeAttribute. Check out the source for guidance: http://aspnet.codeplex.com/SourceControl/changeset/view/23011#266447

You should be able to do the trick by overriding the AuthorizeCore method, like so

public class AjaxAuthorizeAttribute: AuthorizeAttribute
{
    protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
    {
        if (httpContext.Request.IsAjaxRequest())
            return true;

        return base.AuthorizeCore(httpContext);
    }
}

Now you can use [AjaxAuthorize] on your controller and/or action.

To be clear, what you're doing here is giving the user an extension on their timeout if they initiate a call via Ajax. Once they refresh the page, or navigate away, they would be prompted to log back in, as normal.

Hope that helps. Let me know if you run into any issues.

Answer 3

Prior to making the Ajax call, can you make another one to an unauthorized controller to ensure that the user is authenticated? If they are, continue as normal, otherwise you can just show a login lightbox so you don't leave the page and maintain the user experience.