Hello!
We are developing an ASP.NET MVC web application using .NET Framework 4.5 and claims-based authentication/authorization. The application uses the standard ASP.NET mechanism to save a token into a cookie to read claims between POSTs that have been previously cached into memory.
We have configured the session timeout in the web.config file like this:
<sessionState timeout="1" mode="InProc"/>
When a session timeout occurs, the Session_End event handler is called:
protected void Session_End(object sender, EventArgs e)
{
Session.RemoveAll();
FederatedAuthentication.SessionAuthenticationModule.SignOut();
}
After Session_End is executed, the Session_Start handler is triggered:
protected void Session_Start(object sender, EventArgs e)
{
Breadcrumb breadcrumb = new Breadcrumb();
Session["Breadcrumb"] = breadcrumb;
}
This behavior causes a custom filter checking whether there is session or not to return always true:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class SessionExpireFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
// Get context
HttpContext ctx = HttpContext.Current;
// If the browser session has expired...
if (ctx.Session != null && ctx.Session["Breadcrumb"] == null)
{
// Redirect to login page
}
}
}
On the other hand, if the user clicks the "Log out" menu option, the following handler is called:
public ActionResult Logout()
{
FederatedAuthentication.SessionAuthenticationModule.SignOut();
return RedirectToAction("Login", "Account");
}
After this, if we enter a valid application URL into the browser, the page is shown without being prompted for credentials. Does this mean that the token is still valid?
Could you please tell us what is happening?
Thanks very much in advance for your help.
Roberto