Authentication Cookie not in Request.Cookies

Discussion in 'ASP .Net' started by =?Utf-8?B?Sm9l?=, Nov 14, 2006.

  1. In ASP.NET 1.1 I could detected expired form authentication tickets (which
    closely coincide with my expired session) by checking for the Authentication
    Cookie when the login screen loads. If the cookie exists, then decrypt the
    forms auth. ticket and check to see if it is expired. If so display a
    message to the user letting them know why they are back on the login screen.
    The code I used was something like this:

    Dim cookie as HttpCookie =
    Dim ticket as FormsAuthenticationTicket =
    If ticket.IsExpired Then ...

    Now when upgrading to ASP.NET 2.0 I am finding that
    Request.Cookies(FormsAuthentication.FormsCookieName) will only return the
    Auth cookie PRIOR to the expiration of the Auth Ticket. Afterwards,
    Request.Cookies will not contain the cookie. I can still get to the Cookie
    with Request.Headers("Cookie") and manually pull it out but I just wanted to
    verify that this is in fact a change in .NET 2.0 and not just me missing
    something...Reflector on the HttpRequest.Cookies property doesn't seem to
    show anything removing the Auth cookie, so I'm a little perplexed...

    Is there a better way to detected expired sessions? I know some people use
    the Session.IsNew() property in conjunction with searching for the
    preexistance of the session cookie but for me this does not work because I am
    dealing with several apps that share an authentication cookie but all
    have different session states. Thus, I just use the auth ticket expiration
    as it (used to be) easier to detect...

    Thanks in advance for the input!
    =?Utf-8?B?Sm9l?=, Nov 14, 2006
    1. Advertisements

  2. Hi,

    Based on my understanding, you have two questions:

    1) Why the cookie FormsAuthentication.FormsCookieName cannot be found in
    Request.Cookies collection after the session is expired in ASP.NET 2.0?

    2) What's the recommended way to detect expired sessions?

    If I've misunderstood anything, please feel free to let me know.

    For question 1), I cannot find documentation on the design change. Also, I
    don't think this is the recommended way to detect expired sessions.

    For question 2), it's a pity that currently ASP.NET doesn't provide a
    built-in way to return this information. Though we do have two commonly
    used workarounds:

    2.1) The first workaround is create a cookie on Session_OnStart as
    described in following FAQ:

    #ASP.NET Forums - Understanding session state modes + FAQ
    Q: How do I detect a session has expired and redirect it to anther page?
    A: It's a much requested feature, and unfortunately there is no easy way to
    do it right now. We will look into in the next major version. In the
    meantime, if you are using cookie, you can store a marker in your cookie so
    you can tell the difference between "fresh browser + new session" and "old
    browser + expired session". Below is a sample code that will redirect the
    page to an expired page if the session has expired.

    void Session_OnStart(Object sender, EventArgs e) {
    HttpContext context = HttpContext.Current;
    HttpCookieCollection cookies = context.Request.Cookies;

    if (cookies["starttime"] == null) {
    HttpCookie cookie = new HttpCookie("starttime",
    cookie.Path = "/";
    else {

    2.2) Second workaround is to use the cookie used to store the session id:

    #Detecting ASP.NET Session Timeouts: ASP Alliance

    if (Context.Session != null)
    if (Session.IsNewSession)
    string szCookieHeader = Request.Headers["Cookie"];
    if ((null != szCookieHeader) &&
    (szCookieHeader.IndexOf("ASP.NET_SessionId") >= 0))

    Additional references:

    #Multiple Login Check with Session Ping

    #How and why session IDs are reused in ASP.NET

    Hope this helps. Let me know if you need further information.

    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    Get notification to my posts through email? Please refer to
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Nov 14, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TWlsamFuYQ==?=

    Cookie not found in Request.Cookies collection

    =?Utf-8?B?TWlsamFuYQ==?=, Mar 29, 2005, in forum: ASP .Net
    Mar 31, 2005
  2. mhshpk
    Jul 18, 2007
  3. _Who
  4. Eric
  5. Phil Powell
    Grant Wagner
    Sep 5, 2003

Share This Page