asp:login control - user prompted to log in twice if session disab

=?Utf-8?B?RHVrZSAoQU4yNDcp?=

The majority of pages on our site need authentication (forms auth against the
aspnetdb database). I created an '~/auth' folder with its own config file
forcing authentication for any pages in the folder.

The default.aspx sits in the root folder and just does a Response.Redirect
to an ~/auth/home.aspx page. The config forces authentication, which is
carried out by ~/pub/login.aspx which has a standard asp:login control.

I set up the default.aspx and login.aspx pages with
EnableSessionState=False. Only authenticated pages have
EnableSessionState=True. I did this so that unauthorised people/bots would
not generate sessions. Each auth page has a LoginStatus control that allows
the user to log out, which returns them to the login page.

Everything seemed to be working ok but I thought I could improve things by
issuing a Session.Abandon in the LoggedOut event handler. On logging out the
user is at the login page. If they then enter their user name and password
and try to login they get another instance of the login page. If they enter
their details and try to log in again they finally get to the ~/auth/home
page.

I removed the Session.Abandon and I got the expected behaviour, ie redirect
to the ~/auth/home the first time after entering the user name and password.

Still with EnableSessionState=False I then changed the session time out to 1
minute. If the user logs out and attempts to log back in straight away it
works. However, if the user were to wait for over a minute before attempting
to log back in the user gets two login screens.

With EnableSessionState=True on the login page, abandoning the session does
not cause a problem.

To summarise; if the login page has EnableSessionState=False and the session
has expired then the user has to login twice.

Is there a way around this without enabling the session state?

Cheers,
Andrew

Sep 20 '07 #1

Walter Wang [MSFT]

Hi Andrew,

Thanks for your detailed explanation, but I'm still having trouble to
reproduce the issue on my side; especially following points:

* You mentioned two login screens, are they all referring to
~/pub/login.aspx or you have another login page?

Would you please send me a small project to demonstrate the issue? Thanks
for the trouble.
Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 21 '07 #2

=?Utf-8?B?RHVrZSAoQU4yNDcp?=

I created a test project and couldn't recreate it. Eventually I found some
code which caught expired sessions. It signed the user out and then
redirected them to the login page. The code was being run when logging in
after a session abandon, hence the double login.

Apologies for taking up your time on this Walter,
Andrew

Sep 21 '07 #3

Walter Wang [MSFT]

Hi Andrew,

Thanks for your update.

Have a good day.

Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 24 '07 #4