Search code examples
c#asp.nettimersingle-sign-onforms-authentication

Single-SignOn-Loginpage with timer to check if user is already signed in

we've set up multiple asp.net-pages which require a signed-in user. to keep the administrative overhead as small as possible, we decided to build kind of a portal-page, where the users can login. after the login-procedure they will be redirected back to the page which they wanted to navigate to. this works pretty smooth and we are happy with it.

quickfacts:

  • all "childpages" check over the master, if user is logged in. if not -> redirect to portal
  • childpages and portal share the authentication cookie by using the same machine validation key
  • authentication method: forms authentication
  • authenticated against active directory

BUT one thing is annoying me a little bit: It happens often that users have opened multiple instances (tabs) of our sites. if they open them after they logged in - no problem. but if they're open right before the login, the get on each tab the login-page. that's ok, but my target is check timebombed, if the user is already logged in. so that a user can login in one of those tabs and all other tabs redirect the user automatically to the target site as he is now logged in.

I've used timers before and thought that this shouldn't be a big deal - but i can't figure out how to do this. What i've done right now:

I've created a timer in the login page of our portal. He is located in a update panel to avoid reloading the whole page while the user is typing in his credentials:

<asp:UpdatePanel runat="server">
    <ContentTemplate>
        <asp:Timer ID="tiUpdater" runat="server" OnTick="GetTime" Interval="1000" />
    </ContentTemplate>
</asp:UpdatePanel>

Then i used the GetTime-Tickevent to execute the following code:

protected void GetTime(object sender, EventArgs e)
{
     if (System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
     {
         if (!string.IsNullOrEmpty(Request.QueryString["ReturnURL"]))
         {
             string sDestinationURL = Request.QueryString["ReturnURL"];
             Response.Redirect(sDestinationURL);
         }
         else
         {
             Response.Redirect("~");
         }
     }
}

I know it's basic as hell - but it's enough for what we want. The strange thing is, that it looks like the ticks are proceeding as intended. But the 'IsAuthenticated'-Property seems to return false as long as i don't reload the whole page. when i reload the whole login-page, i get a redirect with the first tick of my timer.

Solution

  • Oh my gosh, i'll go bury myself now. After answering your 'wild guess' i looked again in the chrome console to see a huge load of errors regarding this anti-xsrf-thing. I have to admit that i don't know much about it, but after commenting all this xsrf-code out, it worked like a charm.

    I guess i have to read a little bit more about it to understand this mechanics. Thanks for your time!