2

When you have forms authentication setup to redirect to login.aspx when accessing a protected page, what's a good way to detect in login.aspx whether the user was sent there because they haven't logged on yet, or because their forms auth ticket is expired? I'd like to display a "you've timed out" message.

(I do not mention the word session in this question, because ASP.NET treats them so distinctly, however, if there is a good solution that involves session, I'm all ears)

I've solved this in the past by having another cooke "hasloggedin" set when a user logs in and then checks to see if that exists to determine if it's a timeout and then display an appropriate message. But, this has to be a common problem?

Improve this question
1
  • Your cookie method seems to be a good way to do it. If you are already using session variables (depending on their relative timeout value to the authentication timeout), you could check Page.Session.IsNewSession to see if the session was created with the current request. Commented Oct 2, 2010 at 19:51

1 Answer 1

Reset to default
2

Forms authentication will automatically append a URL parameter 'ReturnURL', indicating what page (if any) triggered the redirection to the login page. Most websites have a 'Default.aspx' or 'index.html' etc as the default page. You can check the ReturnURL to see if it contains the default page, or some other page in your application.

EXAMPLE:

string refererURL; if (page.Request.QueryString["ReturnURL"] != null) { refererURL = page.Request.QueryString["ReturnURL"].ToString(); } //Check to see if user was redirected because of Timeout or initial login //Where "Default.aspx" is the default page for your application if (refererURL != "" && refererURL != (ResolveUrl("~") + "Default.aspx")) { //Show HTML etc showing session timeout message } else // User redirected here to to initial login { //Show HTML showing initial login HTML message etc }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Good idea. This may work great for my current app, but for others I've done, there have been links on anonymous pages to pages that require authentication, and so the returnurl isn't enough to tell the difference between a timeout or first attempt at a protected age. But, I think this should work in many cases, and combining it with looking at the actual value of returnurl should make it even better. Thanks for the reply.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.