Friday, March 30, 2007

Using Forms Authentication with Callbacks

We use callbacks all over the place in our asp.net applications. Because of
various security and technical concerns we also use forms authentication by
default. Well this creates a problem when the forms authentication ticket
expires. In the traditional model using postbacks when the authentication
ticket expires you are redirected to the login page however when a callback
occurs there is no action by default. After discovering this I began
googling for information and found this blog post
http://blogs.msdn.com/irenak/archive/2007/03/12/sysk-304-how-to-detect-and-h
andle-form-based-authentication-timeout-during-asp-net-script-callback.aspx.
Admittedly it is a little hacky but I think it works well for our purpose.
Read the article, but the jist is this:

Micorsofts callback javascript handler expects a response that either begins
with an 's' for success or 'e' for error. The authentication failure does
not return either of these

To get around you add a handler for the Application_AuthenticateRequest
event in the global.asax. In the handler, write a message to the response
the begins with an 'e' then you can redirect to the login page from within
the the Callback error javascript.

No comments: