Forms Authentication

[EndersG]

I'm using Forms Authentication for my ASP.NET web application. When the session times out and the user tries to navigate to a different page, he/she will be redirected to the login page (based on the loginUrl) where he/she will be prompted to re-enter his/her credentials.

HOWEVER, I don't want this to apply to the LogOut link of my web application. I want the user to be able to log out immediately (regardless of whether or not the authorization ticket/cookie expired or not). It doesn't seem to make sense that you should receive a login prompt and have to reauthenticate yourself just so you can log out.

Anyone have any ideas how I can accomplish this?

 

[Kodo]

well, that logic won't work because if the session expired then they are already "logged out" so to speak so if you have a logout page that requires authentication to get to (which appears to be the case) then you should change your forms auth so that the logout page does not require authentication to get to. On the logout page use

Session.Abandon()
FormsAuthentication.SignOut()

 

[EndersG]

No. You misunderstand. I have a menubar on top of my main web page and there are links that take you to different pages. My last menu item is a LogOut link that allows you to exit the system completely. However, if there has been inactivity for a predetermined amount of time beyond the session expiry date/time, if you try to click on any of the links it will take you back to the login screen. Which is fine. I want it to work in that exact sequence. EXCEPT however, if you click on the logout link. If you click on the logout link, it should exit you out gracefully from the application regardless if you've timed out or not. Unfortunately, that's not happening. It's bring up the logon screen, the user enters the username and password, and only then does it finally display the logout page. It's too many steps just to exit the app and I want to eliminate the intermediary one (the login page)

 

[Kodo]

that's what I'm saying. Your logout "section" is within the layer that is being protected with FormsAuth. You need to remove it from being protected by FormsAuth for it to do what you're asking. So, have the link go to a Logout.aspx page that does the logging out for you.


so. click LOGOUT.. redirect to unprotected LOGOUT.ASPX which does
session.abandon
formsAuthentication.signout()
'redirect to some other page if desired

 

[EndersG]

Fair enough, Kodo. But I'm still not clear on how one would go about isolating a specific aspx page (i.e. LogOut.aspx) from being verified using Forms Authentication. Is that something I can set in the web.config file? If so, please advise how I would go about doing that. Much appreciated!

 

[Kodo]

take a look here
http://www.devhood.com/tutorials/tutorial_details.aspx?tutorial_id=85

take note of the web.config that the author has displayed.
A section like this

<location path="public/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

where path= your logout.aspx.

I just thought of something else. If your logout button doesn't go to another page, instead if it posts back, you can check for user.isauthenticated and do an IF THEN ESLE on that condition.
IF user.isauthenticated then
'do logout code
else
'redirect someplace else
end if

take your pick.

 

[EndersG]

Thanks for the code snippet, Kodo. I'll give it a try and see what happens.

 

[EndersG]

It worked! Kudos to Kodo.

 

[Kodo]

Glad you got it sorted.
Which method did you choose?

 

[EndersG]

I implemented the K.I.S.S. method. 'Keep it simple, stupid.' I just set the path attribute of the location element to LogOut.aspx and let the .Net framework handle the rest.... easy as pie. Thanks again.