Asp.net: Implementing Auto-Logout functionality

renegadeMind picture renegadeMind · Apr 2, 2009 · Viewed 37.5k times · Source

I have to implement auto-logout functionality in one of my projects and i just cant figure out where to start looking for ideas but SO.

What i need is for the application to redirect the user to the login page if the user session has expired. Please tell me as to what should be my approach to tackle this requirement.

Problem Statement: If the user leaves the system for more than n minutes in any given log-in instance, the system should automatically log them off.

Answer

Zhaph - Ben Duguid picture Zhaph - Ben Duguid · Apr 2, 2009

Going on the comments as much as the question, I'm not sure if you're after something that will log the user out after a certain time regardless of activity, or just after a period of inactivity.

If you're happy to use the standard ASP.NET mechanisms, this can be done for you without any major work:

Set up your membership provider.

Ensure that your authentication section defines a loginUrl:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" />
</authentication>

You can set a timeout other than the default 30 minutes using the "timeout" attribute on the forms element:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" timeout="15"/>
</authentication>

This will log the user out after 15 minutes of inactivity on your site (either with the browser open with no javascript "heartbeat" or if they spend 15 minutes on another site).

Deny access to anonymous users

<authorization>
  <deny users="?" />
</authorization>

Then ensure that your login, registration and possibly forgotten password pages are accessable to all users using the location Element:

<location path="Logon.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
<location path="Register.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
<!-- etc -->

This way, when a user's authentication cookie expires they will be redirected to the URL specified in the loginUrl element of your forms page.


If you're not using the standard ASP.NET mechanisms, then you'd probably be better off implementing a "base page" type model.

Create a new class that inherits from System.Web.UI.Page that will check the login state of the user, and if they aren't logged in/timed out then redirect them to your login page.

In you pages that are to be locked down, instead of inheriting from System.Web.UI.Page, you inherit from your base page class (an example of this sort of setup to do something similar - check setting on each page) can be seen in my answer here


Your login page will probably need to have some frame busting JS in it to jump back out of the iFrame:

if (top!=self.parent){
  top.location=self.parent.location;
}

Or are you saying that by pressing "back" they can still see your pages through the browsers cache? In which case you'll need to be playing around with the Cache headers on every page:

Response.Cache.SetCacheability(HttpCacheability.NoCache);

Ok, well, in that case you'll also need a JS timer object to perform a Location.Replace to your login page - have this in a user control on each page (or better yet, in your master page) to automatically redirect the user after n minutes:

<script type="text/javascript">
  setTimeout('location.Replace("/login.aspx")', 900000);
</script>

The time is in milliseconds, so this will move them on in 15 minutes, and no need to get the whole jQuery framework in place just for that.

You might also want to look into the meta refresh tag:

<meta http-equiv="refresh" content="900;url=http://example.com/login.aspx" />

Which will force the browser to refresh to the login page after 15 minutes (this one's in seconds).