Handling session time out when ajax call to C# mvc controller not working

Question

When calling a function from ajax. Program flow does not recognized the expired session i.e not redirect to the login page. Instead of that, it saves the record. I am workin

Answer 1

The result of your AJAX call will still likely end up appearing successful (although, don't worry, it won't actually execute your action method), and invoke your success handler. This is because you are expecting HTML, and that is what you are receiving (albeit, the resulting HTML is likely your login page, and not the HTML you wanted). As an aside, if you expected JSON (using dataType:'JSON'), it would trigger an error, because it would be parsing HTML as JSON.

What you need to do is prevent FormsAuth from redirecting the login page for AJAX requests. Now, AuthorizeAttribute faithfully returns a NotAuthorizedResult, which sends an HTTP 401 Not Authorized response to the client, which is ideal for your AJAX client.

The problem is that FormsAuth module checks the StatusCode and if it is 401, it performs the redirect. I've combatted this issue in this way:

1) Create my own derivative type of AuthorizeAttribute that places a flag inHttpContext.Items to let me know authorization failed, and I should force a 401 rather than a redirect:

public class AjaxAuthorizeAttribute : AuthorizeAttribute
{
    /// <summary>
    /// Processes HTTP requests that fail authorization.
    /// </summary>
    /// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute"/>. The <paramref name="filterContext"/> object contains the controller, HTTP context, request context, action result, and route data.</param>
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAjaxRequest()) filterContext.HttpContext.Items["AjaxPermissionDenied"] = true;

        base.HandleUnauthorizedRequest(filterContext);
    }
}

2) Add to your Global.asax.cs:

    protected void Application_EndRequest(Object sender, EventArgs e)
    {
        if (Context.Items["AjaxPermissionDenied"] is bool)
        {
            Context.Response.StatusCode = 401;
            Context.Response.End();
        }
     }

3) Add a statusCode handler to your jQuery AJAX setup:

$.ajaxSetup({
    statusCode: {
        401: function() {
            window.location.href = "path/to/login";
        }
    }
});

4) Change the controllers or actions where you want this behavior from using AuthorizeAttribute to AjaxAuthorizeAttribute:

[AjaxAuthorize]
public string SaveEmployee(string Location, string dateApplied, string Status, string mailCheck, ...)
{
      objEmpMain.FirstName = firstName;
      objEmpMain.LastName = lastName;
      objEmpMain.Initial = Initial;
      objEmpMain.Address1 = Address;
      ...
      ... 
      ...
} 

Answer 2

I would like to sugguest you to use StatusCode = 306. I met some problem when use 401.IIS treat 401 different from what I understand. 306 works fine for me.

Regards.