By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,376 Members | 1,566 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,376 IT Pros & Developers. It's quick & easy.

asp:login control - user prompted to log in twice if session disab

P: n/a
The majority of pages on our site need authentication (forms auth against the
aspnetdb database). I created an '~/auth' folder with its own config file
forcing authentication for any pages in the folder.

The default.aspx sits in the root folder and just does a Response.Redirect
to an ~/auth/home.aspx page. The config forces authentication, which is
carried out by ~/pub/login.aspx which has a standard asp:login control.

I set up the default.aspx and login.aspx pages with
EnableSessionState=False. Only authenticated pages have
EnableSessionState=True. I did this so that unauthorised people/bots would
not generate sessions. Each auth page has a LoginStatus control that allows
the user to log out, which returns them to the login page.

Everything seemed to be working ok but I thought I could improve things by
issuing a Session.Abandon in the LoggedOut event handler. On logging out the
user is at the login page. If they then enter their user name and password
and try to login they get another instance of the login page. If they enter
their details and try to log in again they finally get to the ~/auth/home
page.

I removed the Session.Abandon and I got the expected behaviour, ie redirect
to the ~/auth/home the first time after entering the user name and password.

Still with EnableSessionState=False I then changed the session time out to 1
minute. If the user logs out and attempts to log back in straight away it
works. However, if the user were to wait for over a minute before attempting
to log back in the user gets two login screens.

With EnableSessionState=True on the login page, abandoning the session does
not cause a problem.

To summarise; if the login page has EnableSessionState=False and the session
has expired then the user has to login twice.

Is there a way around this without enabling the session state?

Cheers,
Andrew
Sep 20 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Hi Andrew,

Thanks for your detailed explanation, but I'm still having trouble to
reproduce the issue on my side; especially following points:

* You mentioned two login screens, are they all referring to
~/pub/login.aspx or you have another login page?

Would you please send me a small project to demonstrate the issue? Thanks
for the trouble.
Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
Sep 21 '07 #2

P: n/a
I created a test project and couldn't recreate it. Eventually I found some
code which caught expired sessions. It signed the user out and then
redirected them to the login page. The code was being run when logging in
after a session abandon, hence the double login.

Apologies for taking up your time on this Walter,
Andrew
Sep 21 '07 #3

P: n/a
Hi Andrew,

Thanks for your update.

Have a good day.

Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 24 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.