I defined a Controller to force authentication by using the [Authorize] attribute. When a session times out, the request is still passed down and executed instead of forcing a redirect.
I do use FormsAuthentication to login and logoff users.
Any ideas on how to control that?
Example:
[Authorize]
public class ProjectsController : Controller
{
public ActionResult Index()
{
return View();
}
}
To track user sessions ASP.NET uses the *ASP.NET_SessionId* cookie. To track authenticated users ASP.NET uses the ASPXAUTH cookie (by default).
When a session times out the *ASP.NET_SessionId* cookie might no longer be sent by the client but the ASPXAUTH cookie is still sent which might explain why your action is rendered.
To override default forms authentication values you might take a look here. I also suggest you to use the firebug extension to see exactly which cookies are sent by the client.
Based on your other question, I would guess you are not getting to this controller at all.
Again, ASP.NET MVC builds on top of traditional ASP.NET. Yes, there is an "built authentication shizzle"... it's the exact same Membership API that traditional ASP.NET uses.
Meaning... something else is the problem here. Maybe you have sliding sessions turned on... or maybe the timeout is higher than you thought, etc.