I have a webforms app that uses a few ASP.NET AJAX Timer controls (i.e. polling). If a user is on a page with one of these, they will effectively never time-out, as the polling process keeps their authentication ticket alive.
I'd like to segment Timer controls so they don't trigger Forms Authentication's RenewTicketIfOld method. The path I'm on and I've done something similar before is to inject something into the AJAX HTTP request to have these requests identified as coming from a timer and then put some code to run after the Forms Authentication Module that hides the Authentication cookie from being sent back down in the response.
Any other suggestions for how to prevent a Timer control from keeping the forms authentication ticket alive?
First trick that comes to my mine.
on web config, set the domain like www.yoursite.com
<forms domain="www.yoursite.com" .... >
and make a sub-domain like timers.yoursite.com
, that actually is the same as www.yoursite.com. Now make the calls on times.yoursite.com, and because the cookies must find www.yoursite.com
they never trigger the authentication.
Second dirty trick
Set on web config requireSSL=true
<forms requireSSL="true"
and make your timer calls on non secure page. This way the authentication not trigger again, because the cookie is not read now on non secure page.
And finally idea, run the times on cookie less page and session less page, I mean a page that is not send or get cookies at all. I do not know if this is possible under the same domain page, I think you need a different domain name (outs)
Making progress, currently this is my solution. I went from setting a custom header in the Timer AJAX requests and checking that header in a Module (you can see this in the answer version history) to a simple, Module-only solution. (Hat tip to the How to tell if a refresh came from a Timer question)
public class SkipAuthTicketRenewalModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.EndRequest += new EventHandler(context_EndRequest);
}
void context_EndRequest(object sender, EventArgs e)
{
// See if auth cookie was added in response to the timer control update by the FormsAuthModule,
// indicating the ticket was renewed. If it was, remove it so we don't extend the ticket.
HttpContext ctx = HttpContext.Current;
string ctrlname = ctx.Request.Params.Get("__EVENTTARGET");
if (!String.IsNullOrEmpty(ctrlname))
{
Page page = ctx.Handler as Page;
if (page != null)
{
Control ctrl = page.FindControl(ctrlname);
if (ctrl != null && ctrl is Timer)
{
ctx.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
}
}
}
}
}