Ajax and forms authentication

Forms authentication is nice way to protect your asp.net web pages from unauthorized views. The good thing is that it shields all request for pages in your site and will redirect the request to a login page. You can set the time out of a session, after a preset period of inactivity the user has to be re-authenticated.

Al done in the web.config

<authentication mode="Forms">

   <forms loginUrl="~/login.aspx" timeout="2">




   <deny users="?"/>



The bad thing is that forms authentication does not work that well with an AJAX site. When a partial postback hits the server and the session has timed out the server will redirect the request to the login page. This is a response the AJAX request cannot handle well. The result will be an endless loop of requests and the page just hangs. Damit Dobric has a very informative post on this. The good thing about Firefox is that it does detect the redirect loop and will stop. IE just keeps on trying.

Damir presents a solution for the problem which does requires quite some fiddling. Here I would like to present a simpler solution.

The page load of the masterpage checks if the request is the first one in the current session by inspecting the Session.IsNewSession property. In a page shielded with forms authentication this will never be the case; posting back the login form was the first request. But when the request was issued by a partial postback in a timed out session the IsNewSession property will read true and the situation can be handled.

protected void Page_Load(object sender, EventArgs e)
    // Ajax postback, session timed out. Redirect 
    if (Session.IsNewSession)
        Response.Redirect("~/Default.aspx", true);

It explicitly signs out of FormAuthentication and redirects the user to the main page. No more loops, no more hangups.

This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Anonymous

    What seems to be happening on your web server is that your app is being recycled far to often. It usually happened once every 20 minutes. Recycling is done by the web-server, when it happens the app is restarted and all session objects, including your authentication cookie, are lost. This is something you can overcome by maintaining the state in a different way. FI by switching to sql instead of in-proc. We had to do that as well to keep our sessions alive long enough. How hard it is to implement sql based session state depend on what you store in the session. Every object has to be explicitly [marked with the attribute] serializable.

  • Equiton

    I’ve got a different problem, I’ve implemented a basic Ajax chat page on my site. It works fine on local host but when run from the hosted server, users get redirected back to the login page unexpectedly without warning, and long before a timeout. I’ve tried looking for a solution on the web but I haven’t found any solid reason. Am I missing somthing obvious when using Ajax with forms authentication?

  • http://www.alastairsmith.me.uk/ Alastair Smith

    Nice trick! :-) This looks like a more elegant solution than Damir’s.