Feed Icon  


  • Bryant Likes
  • Send mail to the author(s) E-mail
  • twitter
  • View Bryant Likes's profile on LinkedIn
  • del.icio.us
Get Microsoft Silverlight
by clicking "Install Microsoft Silverlight" you accept the
Silverlight license agreement

Hosting By

Hot Topics


Open Source Projects



Page 1 of 1 in the RiaServices category(RSS)

Idle Timeouts in RIA Services Authentication

Posted in RiaServices | Silverlight at Wednesday, October 28, 2009 10:02 AM Pacific Standard Time

A question came up in the Silverlight Forums about how to timeout a user when using .NET RIA Services. Since I have implemented this before I thought I would share an approach I used. There might be a better way that is more integrated with the ASP.Net security, but for now this works.

To start with, you’ll need the Sample Application that Brad Abram has been building and blogging about and you might want to read through this post on Authentication in RIA Services before going any further. Once you have that and can build/run it on your machine you can continue on.

The security in Brad’s example uses a simple membership provider that is using RIA Services FormsAuthentication since it takes a username and password to log in. For our example we will extend the FormsAuthentication and add a timeout to it. Below is my implementation of the FormsWithTimeoutAuthentication class:

namespace MyApp
    public class FormsWithTimeoutAuthentication : FormsAuthentication
        private DispatcherTimer idleTimer;
        private int minutesIdle;
        private bool idle;
        private bool attached = false;

        public FormsWithTimeoutAuthentication()
            : this(20)
        { }

        public FormsWithTimeoutAuthentication(int idleMinutes)
            IdleMinutesBeforeTimeout = idleMinutes;
            idleTimer = new DispatcherTimer();
            idleTimer.Interval = TimeSpan.FromMinutes(1);
            idleTimer.Tick += new EventHandler(idleTimer_Tick);

        public int IdleMinutesBeforeTimeout

        protected override LoginResult EndLogin(IAsyncResult asyncResult)
            var result = base.EndLogin(asyncResult);

            if (result.LoginSuccess == true)
                if (!attached) AttachEvents();
                minutesIdle = 0;

            return result;

        protected override LogoutResult EndLogout(IAsyncResult asyncResult)

            return base.EndLogout(asyncResult);

        private void AttachEvents()
            attached = true;
            Application.Current.RootVisual.MouseMove += new MouseEventHandler(RootVisual_MouseMove);
            Application.Current.RootVisual.KeyDown += new KeyEventHandler(RootVisual_KeyDown);

        private void RootVisual_KeyDown(object sender, KeyEventArgs e)
            idle = false;

        private void RootVisual_MouseMove(object sender, MouseEventArgs e)
            idle = false;

        private void idleTimer_Tick(object sender, EventArgs e)
            if (idle == true)
                minutesIdle += idleTimer.Interval.Minutes;
                if (minutesIdle >= IdleMinutesBeforeTimeout)
                minutesIdle = 0;
            idle = true;

All this class does is add a timer that fires once a minute. If the user has either moved the mouse or hit a key in that minute then they stay logged in. If the user hasn’t, then a minute of idle time is added to the idle minute count until the timeout limit is reached. Once that happens the user gets logged out.

Note that the events are attached to the root visual and don’t get attached until the user logs in. This is because the Authentication is created prior to the RootVisual being set.

Simply add this code to the sample project (linked above) and then change the authentication service in the App.xaml as follows:


                <ResourceDictionary Source="Assets/Styles.xaml"/>

                <app:FormsWithTimeoutAuthentication IdleMinutesBeforeTimeout="2"/>


Here I’ve set the IdleMinutesBeforeTimeout to 2 minutes so that it is easy to test.

Once you’ve modified the application, when you run it you will get logged out after the number of minutes you specify in the timeout. There are lots of enhancements that could be made to this simple approach, but this works for most situations.

Page 1 of 1 in the RiaServices category(RSS)