Asp.net: Implementing Auto-Logout functionality

Solution 1

This has been achieved by the following way:

1) Save the time-stamp of every request( server and ajax excluding the session check ajax request) to the server into a session var.

2) Poll the server via a JS function using ajax at frequent intervals and check if the time diff between the session time-stamp and the ajax request time is greater than the session timeout val then log-off the current user and return a bool for that ajax request.

3) Redirect the current page to the login page if the bool returned is true.

Solution 2

Going on the comments as much as the question, I'm not sure if you're after something that will log the user out after a certain time regardless of activity, or just after a period of inactivity.

If you're happy to use the standard ASP.NET mechanisms, this can be done for you without any major work:

Set up your membership provider.

Ensure that your authentication section defines a loginUrl:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" />
</authentication>

You can set a timeout other than the default 30 minutes using the "timeout" attribute on the forms element:

<authentication mode="Forms">
  <forms loginUrl="login.aspx" timeout="15"/>
</authentication>

This will log the user out after 15 minutes of inactivity on your site (either with the browser open with no javascript "heartbeat" or if they spend 15 minutes on another site).

Deny access to anonymous users

<authorization>
  <deny users="?" />
</authorization>

Then ensure that your login, registration and possibly forgotten password pages are accessable to all users using the location Element:

<location path="Logon.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
<location path="Register.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
<!-- etc -->

This way, when a user's authentication cookie expires they will be redirected to the URL specified in the loginUrl element of your forms page.

If you're not using the standard ASP.NET mechanisms, then you'd probably be better off implementing a "base page" type model.

Create a new class that inherits from System.Web.UI.Page that will check the login state of the user, and if they aren't logged in/timed out then redirect them to your login page.

In you pages that are to be locked down, instead of inheriting from System.Web.UI.Page, you inherit from your base page class (an example of this sort of setup to do something similar - check setting on each page) can be seen in my answer here

Your login page will probably need to have some frame busting JS in it to jump back out of the iFrame:

if (top!=self.parent){
  top.location=self.parent.location;
}

Or are you saying that by pressing "back" they can still see your pages through the browsers cache? In which case you'll need to be playing around with the Cache headers on every page:

Response.Cache.SetCacheability(HttpCacheability.NoCache);

Ok, well, in that case you'll also need a JS timer object to perform a Location.Replace to your login page - have this in a user control on each page (or better yet, in your master page) to automatically redirect the user after n minutes:

<script type="text/javascript">
  setTimeout('location.Replace("/login.aspx")', 900000);
</script>

The time is in milliseconds, so this will move them on in 15 minutes, and no need to get the whole jQuery framework in place just for that.

You might also want to look into the meta refresh tag:

<meta http-equiv="refresh" content="900;url=http://example.com/login.aspx" />

Which will force the browser to refresh to the login page after 15 minutes (this one's in seconds).

Author by

renegadeMind

.Net Developer

Updated on July 14, 2022