Hi.

I'm trying to have a page be redirectd to the login page once session times out. The time out works, but the redirect isn't working. I tried the following in my global.asax file:

 Sub Application_AcquireRequestState(ByVal sender As Object, ByVal e As EventArgs)
        If Session("issessionactive") = "" Then
           Response.Redirect("login.aspx")
      End If
End Sub

But, it doesn't seem to work because it takes a long time for my login page to even load. Is there a particular method/event where I can insert this information? I'm aware that I can insert a <meta content> on each html page to cause it to redirect. But, I think it's easier to do it on the global.asax page so that it would work for all pages. Can someone please tell me what I can do to cause it to be redirected using the global.asax file? Thank you.

You can't use "Response.Redirect" to 'push' a browser to another page. Only when the server is processing a page the browser requested will this work. When there is no page running, the code to redirect doesn't run.

Typically, you'd use forms authentication to make all pages redirect to the login page when the user is not logged in (i.e. when they come for the first time or their session has timed out). If you want to have the browser go on it's own, then you'd need to use a meta tag to auto-refresh the page at some time interval. If you set this time value for something just beyond what your session timeout would be, then the server will redirect under the forms auth rules when the browser re-requests the page. Remember that if you refresh the browser page before the server has timed out the session you'll reset the session timer and keep the session alive indefinately.

-Peter

Hi Peter,

I have added the following tag to one of my pages:

<META HTTP-EQUIV="Refresh" CONTENT="61;URL=login.aspx">

So, it times out and is redirected to my login page. I was wondering if I needed to include this tag for all of my pages? Or is there a way for me to just put it in one place preferably the global.asax page or the web.config page? I don't have "forms authentication" in my globa.asax page. All I have are:

Application_Start
Session_Start
Application_BeginRequest
Application_AuthenticateRequest
Application_Error
Session_End
Application_End

Can you please tell me what I can do? Thanks for your help thus far. Any help from anyone is greatly appreciated. I am very new to the .net environment.

Ok, I just noticed that the tag I put won't really help me. This is because it automatically redirects after 61 seconds whether or not session is empty or not. Is there a way to have it redirect after session is empty? I've tried it in: Application_AuthenticateRequest but, the session state doesn't work in this case. Can I please get an example on how I should go about doing this? Thank you very much.

Like I explained in my previous post, you can't tell a browser to go somewhere until it's actually processing a page. Once a session times out on the server, it just goes away. Only when the browser requests another page will it know that its session has expired. That's why I suggested the meta refresh. That's the only way to get the browser to automatically reload and thus check its session.

Forms authentication is configured in the web.config file. By setting up forms auth you are letting .NET handle the details of returning you to the login page after the session expires. But again, it only happens when a page is requested by the browser.

Try the meta tag with a longer value (like 1200 seconds (20 minutes).

-Peter

Ok, so I've left the meta tag in my code and extended the timeout. I even changed the forms authentication to 'Forms'. Is there something else that I need to do to get this working? Should I be putting something in my global.asa? How does it know session has expired unless I do something? The way I have it now only redirects to another page after a specified amount of time. It has nothing to do w/my session variables.

I understand that the browser can't go anywhere unless it's processing a page. But, I'm really confused as to how I should modify this. Should I redirect the page to the original page it became idle from or the login page? And am I supposed to put the redirect page in the web config file?

Please help!

Ok, I changed my code to the following:

I took out the url to the login page here.

<META HTTP-EQUIV="Refresh" CONTENT="61;">

And I added the following to my web.config file.
    <authentication mode="Forms">
    <forms
    name=".Session_Auth"
    loginUrl="login.aspx"
    protection="All"
    timeout="3"
    path="/"
    />
</authentication>

I have no code in my global.asa. Am I supposed to reference form.authentication in there?

However, it's not redirecting to the login page. Is there something I'm missing here? I thought that if the user wasn't authenticated then the page would automatically be redirected. Isn't this the case here?

You shouldn't need to do anything in the global.

You need to tell forms authentication who to let in or leave out:

<authorization>
    <deny users="?" />
</authorization>

This will deny all un-authenticated users.

Ok, I changed the users to deny all un-authenticated users. But, it still doesn't redirect to the login page. Is it because I don't have my session variables in my web.config file?

The way my login page works is that they submit the username and password into textboxes which are put into session variables. That information is then checked through the SQL Server which allows/denies them access. And if it allows them, then the "issessionactive" session variable is set to true. Am I supposed to incorporate this in the web.config page? Or am I doing something else wrong? Should I not have taken out the url for the meta refresh?

All it does now is timeout on the main page it came from.