Display message to user when forms authentication session expires

Question

This seems simple and I remember doing it a couple of years ago.

I simply want to display a message on the login page when the user is automatically redirected there after requesting a page that they were logged in for but their session has now expired. So essentially if the user was working but stepped away for a lunch break without logging out I want the system to tell them why they were sent back to the login page.

Something like "You have been idle for too long so you must log back in".

This has to be easy I am just running into a wall here. I thought about getting the original ticket and reading the expiration date but I'm a little lost.

Any ideas?

Brent

Answer 1

Try this JavaScript on for size:

Make sure that a property called LoginPageUrl exists on the code behind. Great for Master pages.

If you want to register the script from code-behind, you could even pull the session timeout from the application and inject it so that you still only have one place (web.config) to update it.

To display a message to the user after redirecting them to the login page (.NET will take care of expiring the cookie), send a query string parameter that the login page looks for and shows a message indicating that the user was logged out due to inactivity.

<head>
...
</head>
<body onload="logoutOnExpire();" >
<script type="text/javascript">
        // ACTIVITIES TO RUN FOR THE PAGE
        function logoutOnExpire() {
            clearTimeout(logoutTimeout);
            logoutTimeout =
               setTimeout('location.href = '<%= LoginPageUrl %>';', 1200000);
               // 20 minutes
        }
</script>
<form id="form" runat="server">
...
</form>
</body>
</html>

Answer 2

You can check the session in the inner page and if session does not exist,Redirect to the login page with some value in querystring to understand from which page this call came.When user logged in back,You can use the querystring value to determine which page to be displayed back.

MyPage.aspx.cs,In Page load you can check,

if(Session["user"]==null)
{
  Response.Redirect("Login.aspx?from=mypage");
}
else
{
  // Do the other stuff for the loged in user
} 

And In Login.aspx.cs,In the code where you check your login details from the form

string userName=txtUserName.Text; 
string password=txtPass.Text;
if(IsValidLogin(userName,password)
{
  string toUrl="defaul.aspx";
  if(Request.QueryString["from"]!=null)
  {
   string fromPage=Request.QueryString["from"];
    if(fromPage=="mypage")
    {
       toUrl="mypage.aspx";
    }
    else if(fromPage=="review")
    {
       toUrl="review.aspx";
    }
  }
  Response.Redirect(toUrl);
}

Answer 3

If what you want is to send the user to a page other than the login page when they cause a server postback after their session expires, use the following code at the top of the Page_Load event (this may not work if .NET executes it's redirect first).

if(!Context.User.Identity.IsAuthenticated)
{
    Response.Redirect("~/OtherPage.aspx", false);
}

If you create a base page in your website that all pages inherit from, add it to that page's Page_Load.

Answer 4

If you are redirected to the default login page, after an attempt to use a page after your session has been timed out, is not the redirecturl param set to the page you were trying to access.

So you could infer that if that is set they were previously on a page and then present your message about being logged out due to going for lunch., etc.