Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asp.net cookies, authentication and session timeouts

I have an asp.net website that uses forms authentication. There are a few things I keep in sessions like username, userID, email, etc.

I allow the user to stay logged into the website by setting a long expiration date on the authentication cookie. So it's very common for the session to expire while the user is still authenticated.

The problem I am running into is that sometimes the user's session times out but they're still authenticated. So for example, one of my user pages (which requires authentication) will say "Welcome Mike" when their session is active but once it expires it will say "Welcome [blank]" because the info is no longer in the session, yet they are still authenticated.

What's the best way to handle this? Should I resync the session info when the info is no longer there? Or should I move the user info (username, userID, email) into cookies and not worry about session timeouts?

I do not want to set the session length to something like 60 minutes or more. What i want is for my users to be able to login once and not worry about having to login again until they explicitly logout.

like image 976
danifo Avatar asked Jan 18 '09 03:01

danifo


People also ask

What is timeout asp net?

The Timeout property sets or returns the timeout period for the Session object for this application, in minutes. If the user does not refresh or request a page within the timeout period, the session will end.

How do I set authentication cookies?

The auth cookie should always be HttpOnly. The only way would be to make an AJAX request and let the cookie be set server-side, in which case you need to ensure you are passing any credentials over SSL. You can set HttpOnly on the cookie instance before it's saved.


1 Answers

Avoid using session as much as you can, if you can get away without seesion it makes multi-server deployments qutie a bit easier. Probably, Name and email are easy candidates for cookies. It's easy to fake a cookie, so userID may not be a good idea depending on your security needs.

The forms authentication cookies are encrypted and you can add extra data to those cookies (See details below). It's probably hackable but not nearly as easily as a simple cookie.

Here is the code I have used in the past slightly modified to remove some project specific details. Call this in the LoggedIn event of the login control.

void AddUserIDToAuthCookie(string userID)   {     //There is no way to directly set the userdata portion of a FormAuthenticationTicket     //without re-writing the login portion of the Login control     //     //I find it easier to pull the cookie that the Login control inserted out     //and create a new cookie with the userdata set      HttpCookie authCookie = Response.Cookies[AUTH_COOKIE];   if(authCookie == null)   {     return;   }    Response.Cookies.Remove(AUTH_COOKIE);    FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(authCookie.Value);   var newTicket =     new FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration,                                   oldTicket.IsPersistent, userID, oldTicket.CookiePath);    authCookie.Value = FormsAuthentication.Encrypt(newTicket);    Response.Cookies.Add(authCookie); } 

FYI, I copied this from an old project and edited it here to remove some project specific bits, so it may not compile, but it'll be very close.

To get the ID in your webpage...

FormsAuthenticationTicket ticket = ((FormsIdentity) Page.User.Identity).Ticket; string id = ticket.UserData; 

I used this mechanism to store an id that was not part of the aspnetdb user data. If all your identity data is handled by the aspnetdb, you may only need to access the Page.User.Identity object.

like image 182
ScottS Avatar answered Oct 18 '22 04:10

ScottS