[ACCEPTED]-Asp.net: Implementing Auto-Logout functionality-logout

Accepted answer
Score: 18

Going on the comments as much as the question, I'm 52 not sure if you're after something that 51 will log the user out after a certain time 50 regardless of activity, or just after a 49 period of inactivity.

If you're happy to 48 use the standard ASP.NET mechanisms, this can be done for 47 you without any major work:

Set up your membership provider.

Ensure 46 that your authentication section defines a loginUrl:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" />

You can set 45 a timeout other than the default 30 minutes 44 using the "timeout" attribute 43 on the forms element:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" timeout="15"/>

This will log the user out after 42 15 minutes of inactivity on your site (either 41 with the browser open with no javascript 40 "heartbeat" or if they spend 15 39 minutes on another site).

Deny access to 38 anonymous users

  <deny users="?" />

Then ensure that your login, registration 37 and possibly forgotten password pages are 36 accessable to all users using the location Element:

<location path="Logon.aspx">
      <allow users="?"/>
<location path="Register.aspx">
      <allow users="?"/>
<!-- etc -->

This way, when 35 a user's authentication cookie expires they 34 will be redirected to the URL specified 33 in the loginUrl element of your forms page.

If 32 you're not using the standard ASP.NET mechanisms, then 31 you'd probably be better off implementing 30 a "base page" type model.

Create 29 a new class that inherits from System.Web.UI.Page 28 that will check the login state of the user, and 27 if they aren't logged in/timed out then 26 redirect them to your login page.

In you 25 pages that are to be locked down, instead 24 of inheriting from System.Web.UI.Page, you 23 inherit from your base page class (an example 22 of this sort of setup to do something similar 21 - check setting on each page) can be seen 20 in my answer here

Your login page will probably need to 19 have some frame busting JS in it to jump 18 back out of the iFrame:

if (top!=self.parent){

Or are you saying 17 that by pressing "back" they can 16 still see your pages through the browsers 15 cache? In which case you'll need to be playing 14 around with the Cache headers on every page:


Ok, well, in 13 that case you'll also need a JS timer object 12 to perform a Location.Replace to your login 11 page - have this in a user control on each 10 page (or better yet, in your master page) to 9 automatically redirect the user after n 8 minutes:

<script type="text/javascript">
  setTimeout('location.Replace("/login.aspx")', 900000);

The time is in milliseconds, so 7 this will move them on in 15 minutes, and 6 no need to get the whole jQuery framework 5 in place just for that.

You might also want 4 to look into the meta refresh tag:

<meta http-equiv="refresh" content="900;url=http://example.com/login.aspx" />

Which 3 will force the browser to refresh to the 2 login page after 15 minutes (this one's 1 in seconds).

Score: 6

This has been achieved by the following 11 way:

1) Save the time-stamp of every request( server 10 and ajax excluding the session check ajax 9 request) to the server into a session var.

2) Poll 8 the server via a JS function using ajax 7 at frequent intervals and check if the time 6 diff between the session time-stamp and 5 the ajax request time is greater than the 4 session timeout val then log-off the current 3 user and return a bool for that ajax request.

3) Redirect 2 the current page to the login page if the 1 bool returned is true.

Score: 0

Since you don't know where to start, you 5 may find this 4guys article useful: http://www.4guysfromrolla.com/webtech/110701-1.shtml


Sounds 4 like the jQuery timer may be useful if you want to redirect 3 to a url after a known period of time has 2 elapsed (i.e. your session expiry period).

Hope 1 this helps.

More Related questions