Matching Session variables with FormsAuthentication

[Jackpanel]

I'm having a small problem with forcing users to login when either their FormsAuthentication is no longer valid, or when the session variables expire. My problem is that if the Session expires, but the FormsAuthentication passes, the page tries to load. Since I keep track of user account IDs (different from the UserID, which I can store in User.Identity.Name) in a session variable, this causes a lot of SQL queries to come back empty.

 

e.g. "SELECT * FROM Orders WHERE AccountID = " & Session("AccountID")

 

I've tried forcing a FormsAuthentication signout and page reload whenever a new session is started, but it doesn't actually force a login unless I reload the page

 

Sub Session_Start(Sender As Object, E As EventArgs)
if request.IsAuthenticated then
      FormsAuthentication.SignOut()
      Session.abandon
      ' reload page
      Response.Redirect(sReloadURL)
end if

 

I'd rather not have to put code to check for session variables into each and every page, and figure there must be an efficient way to handle this in the global.asax file. Another option would be to stop using Session variables completely if there is a better way to store these kinds of variables tied directly to the FormsAuthentication. I'm using roles-based authentication, but that doesn't quite cover all the variables I need for each user.

 

Suggestions?

[wayneph]

I set the Forms Cookie timeout so that it is the same as my session time out.

 

Set the session time out either in IIS MMC plugin or in code by Session.TimeOut = 20. (20 minutes is the default.)

 

Then in your web.config file where you set up the forms authentication you just add a timeout attribute. here is a sample of one of my definitions:

 

<forms name=".authcookie" loginUrl="login.aspx" protection="All" timeout="20" />

 

Since the cookie and the session both expire at the same time, the problem should weed it self out.

[Jackpanel]

Thanks for the suggestion. I had actually done that at one point in the past, but was getting frustrated developing, because everytime I'd compile the project, the session variables would be cleared but not the formsauthentication variables.

 

I guess it won't be a big issue on the production system, but it would be nice if I could solve the problem to save me some hassles as I develop and test.