Menu
What are the exact steps required for a cookie to persist after a browser is closed? At the moment I have:
createPersistentCookie set to true on LoggedIn event. true.As long as the browser is open, the user will stay logged in, but as soon as it's closed, and it doesn't matter for how long, the user will need to log in again. What am I missing?
EDIT:
I went through the article pointed out by marapet (see comments below) and it made me interested in whether the ticket does indeed have IsPersistent flag, which it does. The decrypted ticket looks like this:
System.Web.Security.FormsAuthentication.Decrypt(Request.Cookies[System.Web.Security.FormsAuthentication.FormsCookieName].Value)
{System.Web.Security.FormsAuthenticationTicket}
CookiePath: "/"
Expiration: {19/08/2010 17:27:14}
Expired: false
IsPersistent: true
IssueDate: {19/07/2010 17:27:14}
Name: "alex"
UserData: ""
Version: 2
All the details are correct, and correspond to those I set in LoggedIn event. More over the cookie value I can retrieve from the cookie directly, is identical to this one. Yet as soon as I close the browser, the cookie is lost.
What I have noticed, however, is that the cookie carrying the ticket has it's date reset for some reason. Firstly I can't override settings in web.config, so at the end of LoggedIn event it's Expires property is 4000 minutes after issue date, not a month which I am setting programmatically. Then after page load the cookie I retrieve with FormsAuthentication.FormsCookieName has Expires property of 01/01/0001. I think perhaps this is where the problem lies? Any thoughts would be appreciated.
EDIT#2: I am changing both title and tags to include session, as it turned out to be relevant for the problem/solution
853
Some cookies are 'session cookies', which means they only exist when your browser is open and are automatically deleted when you close your browser or quit the app.
Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won't understand when it's logged out until a page refresh happens and sensitive data can be exposed.
Session cookies expire once you log off or close the browser. They are only stored temporarily and are destroyed after leaving the page.
So I found the solution, eventually. As it turns out, it wasn't the problem with the authentication cookie as such (it was retained correctly, or rather would have been if the handler didn't remove it, having incorrectly decided that a user wasn't logged in based on the missing session). The problem was that the Session cookie was lost, or wasn't identified properly. So the fix was to manually add a session cookie during log on like so:
HttpCookie authCookie = new HttpCookie("ASP.NET_SessionId", Session.SessionID);
authCookie.Domain = ".mydomain.com";
authCookie.Expires = DateTime.Now.AddMonths(1);
Response.Cookies.Add(authCookie);
Now when the browsers opens again the session is identified properly and user session restored.
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With