Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

FormsAuthenticationTicket expiration

Tags:

c#

asp.net

cookies

forms-authentication

I have been searching the web and found many odd answers and i've tried almost all of them. My problem is this. My login page contains:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(min), persistCookie, userid.ToString());
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Expires = ticket.Expiration;
Response.Cookies.Add(cookie);

FormsAuthentication.RedirectFromLoginPage(userName, persistCookie);

Now the min value is per user based and can be set individually, so is persistCookie.

After what i understand this code should result in the possibillity of overriding the default values in web.config. Which should be 30 minutes.

<authentication mode="Forms">
  <forms loginUrl="~/Default/default.aspx" defaultUrl="~/User/UserMain.aspx"/>
</authentication>

min is currenlty set to 120, and persistCookie is set too true. When i log in i get timeout at 30 minutes. (Not session, so somewhere expiration date is set, because if it was not set the cookie should be session based, also i do not get 120 minutes which is kind of the deal here)

My question, for simplifying it, is how do i get the value 'min' to be the expiry date of the cookie?

This might turn out too be a simple thing but i am currently totally stuck so any help would be appriciated.

EDIT: I changed the login logic to this:

FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(min), persistCookie, userid.ToString());
string encTicket = FormsAuthentication.Encrypt(fat);
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket) { Expires = fat.Expiration });
Response.Redirect(FormsAuthentication.GetRedirectUrl(userName, false));

And now it works. But i cant seem to figure out why this would work, and not the previous one. Ticket creation is the same, the only difference is that i add Expires property of the HttpCookie when creating the HttpCookie, not after the object is made.

If anybody has a good explanation i am all ears! :)

like image 534
Bjørn Avatar asked May 27 '12 10:05

Bjørn

People also ask

What is FormsAuthenticationTicket?

The FormsAuthenticationTicket class is used to create an object that represents the authentication ticket that is used by forms authentication to identify an authenticated user.

How does Formsauthentication SetAuthCookie work?

The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection, or to the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.

How are cookies used in forms?

Cookies are small text files stored in a web user's browser. The cookies used by WS Form contain no identifiable information and are used to personalize a users experience when completing forms.

Which of the following code statements can be used to set an authentication cookie that can persist across session?

SetAuthCookie() sets a browser cookie to initiate the user's session. It's what keeps the user logged in each time a page is posted to the server. createPersistentCookie creates a persistent cookie that doesn't expire when the browser is closed, so the user can return to the site and be logged in automatically.

2 Answers

The problem with your code is that you're calling RedirectFromLoginPage, which will create the forms authentication cookie, overwriting the cookie you've just created:

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); 
cookie.Expires = ticket.Expiration; 
Response.Cookies.Add(cookie); 

FormsAuthentication.RedirectFromLoginPage(userName, persistCookie); <-- creates a new cookie

The cookie created by RedirectFromLoginPage will of course have the default timeout taken from configuration.

Your second version is the way to go.

like image 194
Joe Avatar answered Sep 22 '22 06:09

Joe

I think you don't understand the difference between cookie expiration and ticket expiration dates - ticket can be considered as expired even if the cookie it is being stored in is still valid. The 4th param of FormsAuthenticationTicket constructor is responsible for the ticket expiration date.

So, to answer your question, you need to manually set expiration date of your cookie or make it long enough to exceed expiration date of your authentication ticket.

like image 22
Sergey Rybalkin Avatar answered Sep 24 '22 06:09

Sergey Rybalkin
Sign in to Comment

Related questions

Get the instance name of the object no the object type name in C# 4.0
MessageBox on worker thread
SSIS: Execute Ironpython or Ironruby scripts through SSIS
How to retrieve column default value from MS SQL data table
The ScrollViewer does not scroll
clipboard Listener event is being called twice
WPF DataGrid CellEditEnded event
Entity Framework Code First Multi Column Foreign Key
how to check null value in linq to sql
.Net 4 Web API receiving NULL data in parameters
Factory Pattern Understanding
what is the difference in List<string> and IEnumerable<string>
MACTripleDES in PHP
Float to string with at least one digit after period
How to call CreateProcess() with STARTUPINFOEX from C# and re-parent the child
is it good to use try-finally just to make sure that something is performed when method finished?
SaveFileDialog displaying only file with specific extension
Is CancellationTokenSource.CancelAfter() leaky?
smoothing mouse movement
Automated Browser Testing using selenium, Nunit, Selenium Grid, C#, webdriver/remote control

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!