ASP.NET MVC Session Expiration
Specifically, I don't know that there are any best practices regarding it, but I'm doing this right now for our app. We've opted for a client-side solution where we output the Session timeout value into some javascript in the master page, and calculate when the session will expire.
5 minutes before-hand, we pop up a modal dialog box saying "Are you still there?" with a countdown timer. Once the timer hits 0:00, we redirect the browser to the login page.
It's implemented with a minimal amount of javascript to do the time and timer calculations, and a simple .ashx handler that will refresh the session if the user clicks "I'm back!" on the dialog box before the session expires. That way if they return in time, they can refresh the session without any navigation.
I asked similar question yesterday. Here is my solution:
Modified Authorize attribute:
public class OptionalAuthorizeAttribute : AuthorizeAttribute{ private class Http403Result : ActionResult { public override void ExecuteResult(ControllerContext context) { // Set the response code to 403. context.HttpContext.Response.StatusCode = 403; context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue); } } private readonly bool _authorize; public OptionalAuthorizeAttribute() { _authorize = true; } //OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller. //That is why parameter is introduced. public OptionalAuthorizeAttribute(bool authorize) { _authorize = authorize; } protected override bool AuthorizeCore(HttpContextBase httpContext) { //When authorize parameter is set to false, not authorization should be performed. if (!_authorize) return true; var result = base.AuthorizeCore(httpContext); return result; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest()) { //Ajax request doesn't return to login page, it just returns 403 error. filterContext.Result = new Http403Result(); } else base.HandleUnauthorizedRequest(filterContext); }}HandleUnauthorizedRequest is overridden, so it returns Http403Result when using Ajax. Http403Result changes StatusCode to 403 and returns message to the user in response. There is some additional logic in attribute (authorize parameter), because I turn on [Authorize] in base controller and disable it in some pages.
Other important part is global handling of this response on client side. This is what I placed in Site.Master:
<script type="text/javascript"> $(document).ready( function() { $("body").ajaxError( function(e,request) { if (request.status == 403) { alert(request.responseText); window.location = '/Logout'; } } ); } );</script>I place GLOBAL ajax error handler and when evert $.post fails with 403 error, response message is alerted and user is redirected to logout page. Now I don't have to handle error in every $.post request, because it is handled globally.
Why 403, not 401? 401 is handled internally by MVC framework (that is why redirection to login page is done after failed authorization).
What do you think about it?
EDIT:
About resigning from [Authorize] attribute: [Authorize] is not only about checking Identity.IsAuthenticated. It also handles page caching (so you don't cache material that requires authentication) and redirection. There is no need to copy this code.
You might look into the AjaxOptions that can be set in Ajax.BeginForm(). There is an OnBegin setting that you can associate with a javascript function, which could call a Controller method to confirm that the session is still valid, and if not, redirect to the login page using window.location.