Save web form contents on authentication timeout and restore it

by Peter Ravnholt 15. February 2008 16:44

In ASP.NET solutions using forms based security, there is a problem if the forms authentication ticket times out while the user is filling out a large web form. This is a simple solution to that problem using a custom HttpModule and a single .aspx page:

A typical scenario is where:

  1. The solution is using forms authentication (using cookies, and with a timeout set to 30 minutes in web.config).
  2. The user starts filling out a large web form. 
  3. The user takes a long phonecall or goes to lunch. 
  4. The user returns, resumes filling out the form and submits. 
  5. Bang - the user is redirected to the login page because the authentication ticket timed out. 
    After logging in again the form will be empty - all work filling out the form is lost.

The easiest solution would be to make the forms authentication ticket live very long (ex. 24 hours). But in my experience many customers require that the login times out after typically 30 minutes for security reasons.

I had no luck googling a solution, so here is what I came up with:

Solving this requires a simple HttpModule and a transit page. The HttpModule will capture the posted form and save it to application state, just before the forms authentication redirects the user to the login page. Application state is used because Session state is not accessible at the time of interception. A few tricks are used here, see the code for details.

After login, the same HttpModule will redirect the request to a transit page. This transit page will restore the form contents as hidden fields and do a submit (http post triggered on load) to the original page. There you go, form restored. The flow looks like this:

This way everything from the original form post will be restored, including ViewState. The original page will happily recieve the postback and do normal page processing. The restoring of the form will be transparent to the end user. Usually the transit page will be so fast that the user doesn't see it.

This will also work with Ajax to some extent. Form fields inside an UpdatePanel will be re-populated by the form saver, but any callback from controls inside the UpdatePanel will be "replaced" by a full page postback from the transit page.

I have put together a small demo with the HttpModue and the transit page at MSDN Code Gallery: http://code.msdn.microsoft.com/formsaver.

Tags: ,

.NET development | ASP.NET

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (1) | Post RSSRSS comment feed

Comments

9/2/2008 3:19:01 PM #

Michael Capocci

Excellent idea, just one thing to note, in

FormSaverHttpModule.context_BeginRequest

it may be better to have

context.Response.Redirect("~/Timeouts/FormStateRestore.aspx?ReturnUrl=" + HttpUtility.UrlPathEncode(context.Request.RawUrl));

(UrlEncode replaced by UrlPathEncode to preseve slashes)

Michael Capocci United Kingdom

Add comment




  Country flag

biuquote
  • Comment
  • Preview
Loading



Powered by BlogEngine.NET 1.6.1.0

About the author

Peter Ravnholt

My Delicious bookmarks

Email

Peter Ravnholt is working as a .NET software architect and lead developer.

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

 


© Copyright 2009, Peter Ravnholt


Creative Commons License

Peter's .NET Ramblings is licensed under a Creative Commons Navngivelse 3.0 Unported License.
Permissions beyond the scope of this license may be available at the contact page.