RE: FormsAuthentication Redirect prevent data loss

Hello Chuck,

I can't use the suggestions that violated security principles like
having cookies/tokens which are set to expire for security reasons,
not expire by having javascript refreshes.

Are their any other complicated solutions which would involve
examining the http pipeline events.

You could store the whole request in memory or database, before the runtime decides that the login sessionhas timed out (so pretty early in the request lifecycle). Then redirect to the original page, substitute the request data from memory and let the page do its usual thing

As you say, it migth require some very low level hacking, but should work.

Other solutions might include (in random order):
- split up the page in multiple steps, storing the results in between.
- post back on a timer, storing results as the user types, you could detect that the postback hasn't changed between previous postbacks and still logout the user
- use ASP.NET Ajax to send the changes to the server in the background
- use a client side object and use the local Isolated Storage facility
- use Silverlight and store the data in the local data store
- set the timeouts on session and login very high and keep a last action timer in the session. handle the page as usual, but the log out the user if x amount of time has expired (this can be handled from the global.asax)
- use a javascript timeout on the page to warn the user that the session will terminate in x minutes and let him push an intermediate save button
- educate the users on how 'the web usually works'
- ...
- ...

--
Jesse Houwing
jesse.houwing at sogeti.nl


.