Friday, November 18, 2011

Automatically log out Members and Send to Login Page in Umbraco

One of my customers came to me the other day and requested that a password-protected area of their Web site be set up to automatically log users out of the password-protected area after 15 minutes of idleness. They were concerned that there might be a security risk to their site if users left their workstations while logged in.

We see this type of behavior frequently for several online Web sites that need to defend against such security risks. Probably the type of sites that come to mind first are online banking Web sites.

I was greatly surprised that I couldn't find anything online -- including in the Umbraco forums -- that addressed every detail needed to achieve this. Also, many of the blog and forum posts that I found were related to auto-logouts for the /umbraco/ area of Web sites (i.e., the admin area). Though I may need to implement similar measures for that area as well, this article does not pertain to that. This is strictly dealing with Umbraco Members who are logged in to a particular area of the site that requires a username and password.

OK, now that the preliminary discussion is finished, let's get to the solution, which, really, is very simple. In this example, we're going to use an auto-logout time of 15 minutes.

First, open your Web.config file and find the sessionState element. The sessionState element is in the system.web section. Within the sessionState element, look for the timeout="15" attribute. if it isn't there, you'll need to add it. For example:

<sessionstate timeout="15" />

Next, you'll need to find (or add) the following:

<authentication mode="Forms">
    <forms timeout="15" />

NOTE: your <forms> element may have several more properties in it. I'm just simplifying it for this post.

Next, you need to add a new property to the Umbraco Document Type that the page you want to be automatically logged out. In my case, that Document Type is called Textpage. To do this, log in to the admin area of your site (i.e, the /umbraco/ area). Click on the Settings section. Open the Document Types, and select the one that your Member-secured page uses. Click on the Generic properties tab for that Document Type. Click on the Add New Property option. I named mine SecureRedirect. Set the Type to Textstring. For the Tab option, mine is set to Meta Data, but you may want yours somewhere else. Save the Document Type, and you're set for this part.

Next, while you're still in the Settings Section, open your main Master Page template. Find a good place in the <head> element and insert an Umbraco field item, such as:

<umbraco:Item field="secureRedirect" runat="server"></umbraco:Item>

Save that file.

Next, click on the Content Section and browse to the page for which you need to set up the auto-logout. Click on the tab where you set up the SecureRedirect Property (i.e., mine is in the Meta Data tab). You'll see the Secure redirect textbox. Insert the following code into that textbox:

<META HTTP-EQUIV="Refresh" CONTENT="920;URL=/login.aspx">

NOTE: the time here is in seconds, not minutes. I set mine to just over 15 minutes (15 minutes is 900 seconds, for those mathematically challenged out there :), to make sure the sessionState and forms timeouts were definitely expired when the page redirects. Also, set the URL to wherever you want the user to be redirected.

Save and Publish your page. Then test to your heart's desire. For ease of testing, I originally set my sessionState and forms timeouts to "1" and my meta refresh time to 70 seconds.

Hopefully I didn't miss anything! If you find this to be useful, or if you see that I did something incorrectly, please let me know.