Menu
So there are lots of posts on StackOverflow regarding this, but I still was unable to solve my exact problem. Here's the gist:
I have a website that requires authentication. I am using the standard .NET FormsAuthentication.SetAuthCookie() method to persist the user's session.
My question is this: In the web.config file, there is a timeout attribute to the "/system.web/authentication/forms" node. If I set this value to say, 30 minutes, is this the time of user inactivity the user can have before their session expires?
The reason I ask is that no matter what I set this value to, if I set persistence to true in SetAuthCookie(), the expiration on the cookie set is 90 minutes. If I set persistence to false in SetAuthCookie(), the cookie expiration is set to "end of session".
What is that "Timeout" attribute value actually setting, and how can I get a persistent cookie that lasts a month or a year or longer?
339
The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection or the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.
Remarks. The FormsCookieName property value is set in the configuration file for an ASP.NET application by using the name attribute of the forms configuration element. The FormsCookieName is used to reference the cookie that stores the FormsAuthenticationTicket information.
You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout. public ActionResult LogOff() { FormsAuthentication. SignOut(); Session. Clear(); // This may not be needed -- but can't hurt Session.
FormsAuthenticationTicket(Int32, String, DateTime, DateTime, Boolean, String, String) Initializes a new instance of the FormsAuthenticationTicket class with cookie name, version, directory path, issue date, expiration date, persistence, and user-defined data.
The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.
This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.
You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.
You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).
Another important thing to remember is the parameter slidingExpiration:
<authentication mode="Forms"> <forms loginUrl="~/Partner/LogOn" defaultUrl="~/Home/Index" timeout="30" slidingExpiration="true" /> </authentication> if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.
What you can do - and what I've done - is to write your own cookie like this:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, //version userName, // user name DateTime.Now, //creation DateTime.Now.AddMinutes(30), //Expiration (you can set it to 1 month true, //Persistent userData); // additional informations Update
I've implemented this routine cause I want to store my groups in an encrypted cookie:
Dim authTicket As System.Web.Security.FormsAuthenticationTicket = _ New System.Web.Security.FormsAuthenticationTicket( _ 1, _ UserName, _ Now, _ Now.AddYears(100), _ createPersistentCookie, _ UserData) Dim encryptedTicket As String = System.Web.Security.FormsAuthentication.Encrypt(authTicket) Dim authCookie As HttpCookie = New HttpCookie( _ System.Web.Security.FormsAuthentication.FormsCookieName, _ encryptedTicket) If (createPersistentCookie) Then authCookie.Expires = authTicket.Expiration End If Response.Cookies.Add(authCookie) As you can see I've set the expiration of the authentication cookie and the authentication ticket with the same timeout (only when persisted).
Another thing that I've tried is to stored username and password in the encrypted cookie. Everytime a masterpage is loaded I check My.Profile.Current.IsAuthenticated to see if the authentication is still valid. If not I read the cookie again, get the username and password, and check it on the DB:
Public Function ReadCookieAuthentication(ByVal Context As System.Web.HttpContext) As Security.CookieAuth Dim CookieUserData = New Security.CookieAuth() Dim cookieName As String = System.Web.Security.FormsAuthentication.FormsCookieName Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName) If (Not (authCookie Is Nothing)) Then Dim authTicket As System.Web.Security.FormsAuthenticationTicket = Nothing Try authTicket = System.Web.Security.FormsAuthentication.Decrypt(authCookie.Value) If (Not (authTicket Is Nothing)) Then If (authTicket.UserData IsNot Nothing) AndAlso Not String.IsNullOrEmpty(authTicket.UserData) Then CookieUserData = New JavaScriptSerializer().Deserialize(Of Security.CookieAuth)(authTicket.UserData.ToString) End If CookieUserData.UserName = authTicket.Name End If Catch ex As Exception ' Do nothing. End Try End If Return (CookieUserData) End Function Security.CookieAuth is an object I've created to return username and password.
CookieUserData is the storage (I save in json format) where I put my password and groups.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
