question

Dondon510-9757 avatar image
0 Votes"
Dondon510-9757 asked AgaveJoe edited

How to force the web app goes to user/logout when session expired?

How to force the web app goes to user/logout when session expired?
my C# codes below only goes to /user/logout when the session was expired if the user triggering something (ie. click a menu or hit refresh)

 builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
 .AddCookie(options =>
 {
     options.LoginPath = "/User/Login";
     options.AccessDeniedPath = "/User/Login";
     options.LogoutPath = "/User/Logout";
     options.SlidingExpiration = true;
     options.ExpireTimeSpan = TimeSpan.FromMinutes(PrimeIoT.SIM.Models.AppSettings.Application.SESSION_TIMEOUT);
 });
dotnet-aspnet-core-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What is the "session" you mean? There is no relation between the Session so called in the ASP,NET and authentication ticket/cookie issued by the ASP.NEY Identity.

0 Votes 0 ·
AgaveJoe avatar image
0 Votes"
AgaveJoe answered

It's very simple. Create a JavaScript timer or use a meta tag that has the same timeout plus a second as the authentication cookie expiration. When the timer runs out, refresh the page.

https://www.w3schools.com/tags/att_meta_http_equiv.asp
https://developer.mozilla.org/en-US/docs/Web/API/setTimeout

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sreejukg avatar image
0 Votes"
sreejukg answered sreejukg commented

Hi @Dondon510-9757, when the user gets logged out, your browser do not have any clue. One option you have is to use a Javascript timer that runs in the browser. The purpose of the timer is to issue a request and check whether the user is still logged in, you may use the response status code or see the cookie in the response. (Make sure you set SlidingExpiration to false).

Now in the javascript timer method, when you detect the cookie expired, you can redirect the user to the login page.

Hope this helps

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Now in the javascript timer method, when you detect the cookie expired, you can redirect the user to the login page.

Expiration of cookie and authentication ticket are not the same. There is no way to know the expiration of authentication ticket by using JavaScript.

0 Votes 0 ·

From the server you can get these information, right. Now create a page in the server and call this from the ajax call. Based on the response in the ajax call you can redirect the user to the login page.

0 Votes 0 ·
Dondon510-9757 avatar image
0 Votes"
Dondon510-9757 answered AgaveJoe edited

BTW,

still related to session timeout, is it possible to set no session timeout?, currently I set to long expiry timeout like 999999 but I thought there is a better way to disable the session timeout, please CMIIW

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What is the "session" you mean? Do you know that there is no relation between the Session so called in the ASP,NET and authentication ticket/cookie issued by the ASP.NEY Identity.

0 Votes 0 ·

This is a new question and you want to disable the Session timeout???? What is your use case?

0 Votes 0 ·

yes, if possible I want to disable the session timeout, the users some times need to do something and go back to the page and it goes to login page after the session timed out.

0 Votes 0 ·
AgaveJoe avatar image AgaveJoe Dondon510-9757 ·

Simply set the authentication cookie expiration to a value that's acceptable for you application.

 builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
 .AddCookie(options =>
 {
     options.ExpireTimeSpan = TimeSpan.FromDays(2);
 });

Honestly, this post is very confusing because it changed approaches. Anyway, Session and Cookie Authentication are two different APIs as explained above.
The Cookie Authentication middleware is what redirects the browser. You can configure the timeout for both APIs in configuration very easily - read the docs. Otherwise, clearly explain the problem you are trying to solve rather than the solution.

0 Votes 0 ·