0
72
ViewsExtended Logout in MVC 5
Extending logged in time as per user's choice.
Scenario: The ASP.NET MVC 5 web application is hosted in Azure WebApp WebConfig is set to timeout in 60 minutes of no requests made to the server as shown below
WebConfig:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
In the login screen, we would like to provide a CHECKBOX and if user ticks it and login, the webapp should not log them out for next 12 hours even if there is no activity.
So far, I have tried a javascript timer running on the _layoutpage.chtml and a local storage time value registered at loggged in time at the client side. The javascript timer will ping to the server every 20 minutes to keep the login alive. This is not always working for multiple reasons like browser, machine sleep mode, hard disk turnoff internet interruptions and other unknown reasons as well etc. There is also an issue we have to overcome regarding sliding expiration vs javascript pinging .https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.slidingexpiration?view=netframework-4.8 I am also open to solutions involving server handling as well. Hoping a client side solution will incur less modification in our existing app.
1 answers
Answer question0
Well.. that is a tricky question - simply love it!
Why is it tricky? Because ASP.NET config rules are mostly static and apply to the entire project. That's why a default timeout of 60 minutes will affect every user as a general policy.
The most straight forward solution (without touching your web app internals) will be to define 2 forms - one for regular users (will be kicked off after 1 hour) and another form with extended timeout. Of course - that will make a UI change as well (instead of checkbox you will need to use a link that redirect user to a different form). It's not a very elegant solution but it will work
Problem is that every config section can have only a single <forms> tag (which is very odd - the directive itself is in plural). Following this post there is a way to bypassing this issue by declaring 2 sections with 2 different working folders.
So yes - elegant solution is off the table but it's still possible and will work without touching ASP.NET internals - which I consider as positive. The overall solution may look like this
- Create another folder (under your solution) with the extended login screen
- under
web.configfile define 2 different working folders (using the<location>directive) - Redirect user from standard login screen to extended login screen using a link
- when login completed using the extended screen - redirect to your main page (e.g dashboard or something similar)
the web.config file should look something like this:
<location path="/{MAIN_FOLDER}">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
</system.web>
</location>
<location path="/{EXTENDED_LOGIN_FOLDER}">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/ExtendedLogin" timeout="720" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
</system.web>
</location>
Again - it is not pretty but it's logical - for 2 different behaviors we use 2 different configurations in order to define how every behavior should react. Any other solution will request custom implementation and as far as I concern - you want to avoid this in the first place.
And on a personal note: please share here your final solution to help others in the future as well. thanks