The majority of pages on our site need authentication (forms auth against the
aspnetdb database). I created an '~/auth' folder with its own config file
forcing authentication for any pages in the folder.
The default.aspx sits in the root folder and just does a Response.Redirect
to an ~/auth/home.aspx page. The config forces authentication, which is
carried out by ~/pub/login.aspx which has a standard asp:login control.
I set up the default.aspx and login.aspx pages with
EnableSessionState=False. Only authenticated pages have
EnableSessionState=True. I did this so that unauthorised people/bots would
not generate sessions. Each auth page has a LoginStatus control that allows
the user to log out, which returns them to the login page.
Everything seemed to be working ok but I thought I could improve things by
issuing a Session.Abandon in the LoggedOut event handler. On logging out the
user is at the login page. If they then enter their user name and password
and try to login they get another instance of the login page. If they enter
their details and try to log in again they finally get to the ~/auth/home
page.
I removed the Session.Abandon and I got the expected behaviour, ie redirect
to the ~/auth/home the first time after entering the user name and password.
Still with EnableSessionState=False I then changed the session time out to 1
minute. If the user logs out and attempts to log back in straight away it
works. However, if the user were to wait for over a minute before attempting
to log back in the user gets two login screens.
With EnableSessionState=True on the login page, abandoning the session does
not cause a problem.
To summarise; if the login page has EnableSessionState=False and the session
has expired then the user has to login twice.
Is there a way around this without enabling the session state?
Cheers,
Andrew
