I have some logic that opens a custom page in a modal dialog when a user triggers a certain event on the host page in the Pages app. Everything works fine, but if a user is has been inactive for just a couple of minutes, then opens the dialog, he gets an "access denied" error because MembershipContext.AuthenticatedUser as well as CMSPage.CurrentUser return 'public' instead of the real user's object. Refreshing the browser or switching to a different page in the tree, then returning to the original page, restores the user's context, but it's a huge nuisance, especially when the inactivity period is so short. How do I prevent this behavior?
We use AD authentication, so authentication mode is set to Windows in the web.config. Here are the the membership and roleManager elements:
<membership defaultProvider="CMSProvider" userIsOnlineTimeWindow="30">
<add name="CMSProvider" type="CMS.MembershipProvider.CMSMembershipProvider" connectionStringName="CMSConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" />
<roleManager defaultProvider="CMSRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All">
<add name="CMSRoleProvider" type="CMS.MembershipProvider.CMSRoleProvider" connectionStringName="CMSConnectionString" applicationName="SampleApplication" writeExceptionsToEventLog="false" />
I looked at when CMSWindowsUser cookie gets accessed, and there appears to be no correlation. It's set to expire on Session, and the session is active from what I can tell. The value of the SessionId stays unchanged.
Finally, I can see that, after a refresh, the value of IPrincipal.ExpireDate is indeed set to 30 mins into the future, as per web.config. However, just a couple minutes later, when the dialog is opened again, the value if IPincipal changes: Name="" and IsAuthenticated=false.