Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Manually renew forms authentication ticket:

Yet another problem with forms authentication ticket expiring too soon. I need to use sliding Expiration set to true. I have read forums and understood the problem with the loss of precision, that the ticket only gets updated if the request is made after half of the expiration time only.

The problem: In my webconfig I have as follows:

    <authentication mode="Forms">
        <forms timeout="20" name="SqlAuthCookie" protection="All" slidingExpiration="true" />
    </authentication>
    <sessionState timeout="20" />
    <authorization>

The user must only be logged out and redirected to login.aspx, only when there was no request made in the 20 Minute interval. The problem is that users are making requests, and still get thrown to the login page. This should not happen. What I thought of doing, was to reset the SqlAuthCookie manually for each request.

Below is my code. It is called on context.AcquireRequestState.

    void context_AcquireRequestState(object sender, EventArgs e)
    {
        HttpContext ctx = HttpContext.Current;
        ResetAuthCookie(ctx);
     }

            private void ResetAuthCookie(HttpContext ctx)
    {
        HttpCookie authCookie = ctx.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie == null)
            return;

        FormsAuthenticationTicket ticketOld = FormsAuthentication.Decrypt(authCookie.Value);
        if (ticketOld == null)
            return;

        if (ticketOld.Expired)
            return;

        FormsAuthenticationTicket ticketNew = null;
        if (FormsAuthentication.SlidingExpiration)
           ticketNew = FormsAuthentication.RenewTicketIfOld(ticketOld);

        if (ticketNew != ticketOld)
            StoreNewCookie(ticketNew, authCookie, ctx);
    }

    private void StoreNewCookie(FormsAuthenticationTicket ticketNew, HttpCookie authCookie, HttpContext ctx)
    {
        string hash = FormsAuthentication.Encrypt(ticketNew);
        if (ticketNew.IsPersistent)
            authCookie.Expires = ticketNew.Expiration;

        authCookie.Value = hash;
        authCookie.HttpOnly = true;

        ctx.Response.Cookies.Add(authCookie);
    }

My questions are:

  1. Is it wrong or an acceptable solution, resetting the cookie on each request?
  2. Why does it still not work? It seems that new Ticket never gets renewed.
  3. Are there other causes possible, for the fact that the users have their forms authentication expired too soon, that I should investigate?

Thank you, Regards,

like image 649
Amc_rtty Avatar asked Jun 08 '12 08:06

Amc_rtty


People also ask

What is form authentication ticket?

The FormsAuthenticationTicket class is used to create an object that represents the authentication ticket that is used by forms authentication to identify an authenticated user.

How do you authenticate a form?

Forms– users are authenticated via a form on a web page. Passport– users are authenticated using Microsoft's Passport Network. None– no authentication model is used; all visitors are anonymous.

What is the use of FormsAuthentication SetAuthCookie?

The forms-authentication ticket supplies forms-authentication information to the next request made by the browser. With forms authentication, you can use the SetAuthCookie method when you want to authenticate a user but still retain control of the navigation with redirects.

What is the difference between logic controls and forms authentication?

What is the difference between login controls and Forms authentication? Forms authentication can be easily implemented using login controls without writing any code. Login control performs functions like prompting for user credentials, validating them and issuing authentication just as the FormsAuthentication class.


1 Answers

A forms authentication cookie only renews itself after half it's expiration time has passed.

From Microsoft:

If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. For example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.

To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed.

This may be your issue. If your clients access your site at the 9 minute mark and don't access it again for 10 minutes they'll be timed out. This occurs even though you have your session timeout set to 20 minutes.

Manually renewing your ticket like you're doing isn't necessary. You just need sliding expiration enabled. If the 'half the specific time' rule doesn't work for you then you'll have to look at other solutions.

like image 54
Mark Avatar answered Sep 21 '22 06:09

Mark