authentication ticket expiring too soon

Discussion in 'ASP .Net Security' started by bmjnine@hotmail.com, Sep 27, 2006.

  1. Guest

    Hi,

    I am trying set up my site so that once a user logs in, they stay
    logged in for 72 hours unless they close their browser.

    I have the following in place:

    (web.config)
    -----------------
    <system.web>
    <sessionState timeout="4320" />
    <httpRuntime maxRequestLength="102400" executionTimeout="180" />
    <authentication mode="Forms">
    <forms loginUrl="signin.aspx" name="UserID" timeout="4320"
    slidingExpiration="true" path="/">
    </forms>
    </authentication>
    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>
    </system.web>

    (signin.aspx)
    -------------------
    FormsAuthentication.RedirectFromLoginPage(myUserID, false);


    I also have a test page that tells me some cookie/ticket info:

    (test.aspx)
    -------------------
    StringBuilder sb = new StringBuilder();
    HttpCookieCollection cookies = Request.Cookies;
    for (int i = 0; i < cookies.Count; i++)
    {
    sb.Append("Name: " + cookies.Name + "<br/>");
    sb.Append("Value: " + cookies.Value + "<br/>");
    sb.Append("Domain: " + cookies.Domain + "<br/>");
    sb.Append("Path: " + cookies.Path + "<br/>");
    sb.Append("HasKeys: " + cookies.HasKeys + "<br/>");
    sb.Append("Expires: " + cookies.Expires.ToString() +
    "<br/><br/>");
    }
    FormsIdentity id = (FormsIdentity)User.Identity;
    FormsAuthenticationTicket ticket = id.Ticket;
    sb.Append("Ticket Name: " + ticket.Name.ToString() + "<br/><br/>");
    sb.Append("Ticket Path: " + ticket.CookiePath.ToString() +
    "<br/><br/>");
    sb.Append("Ticket Issue Date: " + ticket.IssueDate.ToString() +
    "<br/><br/>");
    sb.Append("Ticket Expires: " + ticket.Expiration.ToString() +
    "<br/><br/>");
    sb.Append("Ticket Expired: " + ticket.Expired.ToString() +
    "<br/><br/>");
    sb.Append("Ticket Is Persistent: " + ticket.IsPersistent.ToString() +
    "<br/><br/>");
    Response.Write(sb.ToString());

    I am able to login okay, and it appears the expiration date seem to be
    in effect, as the results of the above test page are:
    ----------------------------------------
    Name: UserID
    Value:
    E3099CA828B03D405118E120E7F47A2E0C9F3BAC50961AB996E2E681BFA6CB282D1BE0E214F69E035CF635D867A9D02DE0AF2F70EC40389505E53C71B2E28A0E
    Domain:
    Path: /
    HasKeys: False
    Expires: 1/1/0001 12:00:00 AM

    Name: ASP.NET_SessionId
    Value: yyvr3w55ryhmmyugovdllxex
    Domain:
    Path: /
    HasKeys: False
    Expires: 1/1/0001 12:00:00 AM

    Ticket Name: 1
    Ticket Path: /
    Ticket Issue Date: 9/27/2006 5:35:27 PM
    Ticket Expires: 9/30/2006 5:35:27 PM
    Ticket Expired: False
    Ticket Is Persistent: False

    As you can see, the ticket is set to expire in 72 hours. However, after
    about 20-30 minutes of inactivity, my ticket appears to expire -- I am
    redirected to the login page, and the test page throws an error because
    User.Identity is null.

    What am I missing? :(

    Thanks in advance,
    Alyssa
     
    , Sep 27, 2006
    #1
    1. Advertising

  2. Guest

    Just curious -- what is it that indicates the cookies are not being
    properly set?

    I am using the following code to set the ticket:

    (signin.aspx)
    ------------------
    void Page_Load(Object s, EventArgs e) {
    if (IsPostBack) {
    int signinResult =
    Authenticator.SignIn(TextBox_Email.Text,TextBox_Password.Text);
    if (signinResult == 1)

    FormsAuthentication.RedirectFromLoginPage(Authenticator.UserID, false);
    else
    Label_Error.Text = "That email/password combination is
    invalid. Please try again.";
    }
    }
    }

    (Authenticator.cs)
    ------------------------
    public class Authenticator
    {
    public Authenticator()
    {
    }

    public static HttpCookie CookieObj
    {
    get
    {
    if (HttpContext.Current.Request.Cookies["UserInfo"] == null)
    return new HttpCookie("UserInfo");
    else
    return HttpContext.Current.Request.Cookies["UserInfo"];
    }
    set
    {
    System.Web.HttpContext.Current.Response.Cookies.Add(value);
    }
    }

    public static int SignIn(string email, string pw)
    {
    HttpCookie tmpCookieObj = new HttpCookie("UserInfo");
    string sql = "SELECT FirstName, LastName, UserID FROM Users WHERE
    EMail = '" + email.Trim() + "' " + "AND Password = '" + pw.Trim() +
    "'";
    using (OleDbConnection connectionObj = new
    OleDbConnection(myConnectionString))
    {
    OleDbCommand Cmd = new OleDbCommand(sql,connectionObj);
    connectionObj.Open();
    OleDbDataReader DReader = Cmd.ExecuteReader();
    if (DReader.Read())
    {
    string FirstName = DReader.GetString(0);
    string LastName = DReader.GetString(1);
    string UserID = DReader.GetInt32(2).ToString();
    DReader.Close();
    tmpCookieObj.Values.Add("FirstName", FirstName);
    tmpCookieObj.Values.Add("LastName", LastName);
    tmpCookieObj.Values.Add("UserID", UserID);
    tmpCookieObj.Expires = DateTime.Now.AddDays(3);
    CookieObj = tmpCookieObj;
    return 1;
    }
    else
    {
    DReader.Close();
    connectionObj.Close();
    return -1;
    }
    }
    }

    public static string UserID
    {
    get
    {
    if (CookieObj["UserID"] != null)
    return CookieObj["UserID"];
    else
    return String.Empty;
    }
    }
    }


    I should also now note the other cookie that appears on the test page
    (previously omitted):

    Name: UserInfo
    Value: FirstName=Joe&LastName=Smith&UserID=1
    Domain:
    Path: /
    HasKeys: True
    Expires: 1/1/0001 12:00:00 AM

    Thanks,
    Alyssa


    Gaurav Vaish (www.EduJiniOnline.com) wrote:
    > > Name: UserID
    > > Expires: 1/1/0001 12:00:00 AM
    > >
    > > Name: ASP.NET_SessionId
    > > Expires: 1/1/0001 12:00:00 AM

    >
    > The cookies are not being properly set.
    > Neither for ASP.Net_SessionId, nor for UserID.
    >
    > Just check how you are generating and setting the FormsAuthenticationTicket?
    >
    >
    > --
    > Happy Hacking,
    > Gaurav Vaish | http://www.mastergaurav.com
    > http://www.edujinionline.com
    > http://articles.edujinionline.com/webservices
    > -------------------
     
    , Sep 29, 2006
    #2
    1. Advertising

  3. Guest

    I've read in other posts that persistent cookies do not have an
    expiration date/time, and therefore report their "Expires" property as
    the min date/time, which is "1/1/0001 12:00:00 AM". Is that not the
    case? Plus, if that was the actual expiration date, wouldn't I be
    logged out immediately since it is in the past? I stay logged in for 20
    minutes.

    Regardless, are you able to tell what I'm doing wrong as far as setting
    the ticket/expiration?

    Also, after my initial post, I realized that I was setting the Ticket
    Name incorrectly, passing the UserID VALUE instead of the actual name
    "UserID". So I changed that, and am now getting what *should* be
    correct:

    (test.aspx)
    -------------------
    Name: UserInfo
    Value: FirstName=Joe&LastName=Smith&UserID=1
    Domain:
    Path: /
    HasKeys: True
    Expires: 1/1/0001 12:00:00 AM

    Name: UserID
    Value:
    1BD13F779BB44DC9026C6C87DE0D7B98680CF1D50067D92C372F76A7DCEBC99AAF8C304D755091F8A202A9CF5FBB700D9991F10E4D61F1E8AE445C0C1BA250660A0B1F2D1CC30391
    Domain:
    Path: /
    HasKeys: False
    Expires: 1/1/0001 12:00:00 AM

    Name: ASP.NET_SessionId
    Value: 3p1cuanf4bdozs45qpfesl55
    Domain:
    Path: /
    HasKeys: False
    Expires: 1/1/0001 12:00:00 AM

    Ticket Name: UserID
    Ticket Path: /
    Ticket Issue Date: 10/3/2006 6:08:42 PM
    Ticket Expires: 10/6/2006 6:08:42 PM
    Ticket Expired: False
    Ticket Is Persistent: False


    HOWEVER, even with this change it still doesn't work -- I still am
    prompted to login after 20 minutes or so!!

    I'm still baffled... :(

    Alyssa
     
    , Oct 4, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. chongo
    Replies:
    1
    Views:
    498
    Trent Millar
    Apr 28, 2004
  2. George Durzi

    FormsAuth Ticket Keeps Expiring

    George Durzi, Sep 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    145
    George Durzi
    Sep 18, 2003
  3. Lauchlan M
    Replies:
    0
    Views:
    248
    Lauchlan M
    Oct 1, 2003
  4. tparks69

    forms based authentication - ticket not expiring

    tparks69, Jan 31, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    194
    tparks69
    Jan 31, 2005
  5. jfer
    Replies:
    3
    Views:
    584
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page