Using Forms Authentication auth cookie will never timeout

[moity]

Using SignalR with Forms Authentication (ASP.NET MVC4, SignalR 2.0.2.0) is it possible to have Pings and Reconnects not reissue the Auth cookie (set it's timeout further into the future)?

Basically, I want the Auth cookie to timeout (which it was doing until having SignalR in the solution).

I can see the Auth Cookie in the Response Headers being reissued on Ping and Reconnects.

I've read the documentation and searched extensively but found nothing around this - can it be done via configuration or a HubPipelineModule?

Any help appreciated.

[halter73]

The purpose of the ping is to ensure auth cookies are reissued. If you want to disable pings, try starting your connection with the pingInterval configured to null (meaning disabled):

$.connection.hub.start({pingInterval: null}).done(function () { /* ... */ });

Unfortunately, chances are that if you are using a transport other than WebSockets, SignalR will issue requests periodically anyway.

[moity]

I tried setting the pingInterval to null and found that there are still requests being issued as you stated so that was not a solution.

In the end I added an HttpModule to my application that looked at the request path and if signalr it clears any FormsAuthentication Cookie from the response ensuring that the auth cookie is not reissued and expires after user inactivity as before.

[SherleyDev]

@moity Can you please post your solution? I need this feature too.

[moity]

My implementation has evolved a little but this is basically it (remember to register the module in your config, or via code):

public class SignalRFormsAuthenticationCleanerModule : IHttpModule
{
   public void Init(HttpApplication application)
   {
      application.PreSendRequestHeaders += OnPreSendRequestHeaders;
   }

   private bool ShouldCleanResponse(string path)
   {
      path = path.ToLower();
      var urlsToClean = new string[] { "/signalr/", "<and any others you require>" };

      // Check for a Url match
      foreach (var url in urlsToClean)
      {
         var result = path.IndexOf(url, StringComparison.OrdinalIgnoreCase) > -1;
         if (result)
            return true;
      }

      return false;
   }

   protected void OnPreSendRequestHeaders(object sender, EventArgs e)
   {
      var httpContext = ((HttpApplication)sender).Context;

      if (ShouldCleanResponse(httpContext.Request.Path))
      {
         // Remove Auth Cookie from response
         httpContext.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
         return;
      }
   }
}

[RavilMahmutov]

My implementation has evolved a little but this is basically it (remember to register the module in your config, or via code):

public class SignalRFormsAuthenticationCleanerModule : IHttpModule
{
   public void Init(HttpApplication application)
   {
      application.PreSendRequestHeaders += OnPreSendRequestHeaders;
   }

   private bool ShouldCleanResponse(string path)
   {
      path = path.ToLower();
      var urlsToClean = new string[] { "/signalr/", "<and any others you require>" };

      // Check for a Url match
      foreach (var url in urlsToClean)
      {
         var result = path.IndexOf(url, StringComparison.OrdinalIgnoreCase) > -1;
         if (result)
            return true;
      }

      return false;
   }

   protected void OnPreSendRequestHeaders(object sender, EventArgs e)
   {
      var httpContext = ((HttpApplication)sender).Context;

      if (ShouldCleanResponse(httpContext.Request.Path))
      {
         // Remove Auth Cookie from response
         httpContext.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
         return;
      }
   }
}

Hi, where should i add it? in Startup.cs?

[moity]

It's an HttpModule so you register it like any other, in your web.config or via code, startup.cs will work.