authentication ticket expiring too soon

[bmjnine]

Hi,

I am trying set up my site so that once a user logs in, they stay
logged in for 72 hours unless they close their browser.

I have the following in place:

(web.config)
-----------------
<system.web>
<sessionState timeout="4320" />
<httpRuntime maxRequestLength="102400" executionTimeout="180" />
<authentication mode="Forms">
<forms loginUrl="signin.aspx" name="UserID" timeout="4320"
slidingExpiration="true" path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>

(signin.aspx)
-------------------
FormsAuthentication.RedirectFromLoginPage(myUserID, false);


I also have a test page that tells me some cookie/ticket info:

(test.aspx)
-------------------
StringBuilder sb = new StringBuilder();
HttpCookieCollection cookies = Request.Cookies;
for (int i = 0; i < cookies.Count; i++)
{
sb.Append("Name: " + cookies.Name + "<br/>");
sb.Append("Value: " + cookies.Value + "<br/>");
sb.Append("Domain: " + cookies.Domain + "<br/>");
sb.Append("Path: " + cookies.Path + "<br/>");
sb.Append("HasKeys: " + cookies.HasKeys + "<br/>");
sb.Append("Expires: " + cookies.Expires.ToString() +
"<br/><br/>");
}
FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
sb.Append("Ticket Name: " + ticket.Name.ToString() + "<br/><br/>");
sb.Append("Ticket Path: " + ticket.CookiePath.ToString() +
"<br/><br/>");
sb.Append("Ticket Issue Date: " + ticket.IssueDate.ToString() +
"<br/><br/>");
sb.Append("Ticket Expires: " + ticket.Expiration.ToString() +
"<br/><br/>");
sb.Append("Ticket Expired: " + ticket.Expired.ToString() +
"<br/><br/>");
sb.Append("Ticket Is Persistent: " + ticket.IsPersistent.ToString() +
"<br/><br/>");
Response.Write(sb.ToString());

I am able to login okay, and it appears the expiration date seem to be
in effect, as the results of the above test page are:
----------------------------------------
Name: UserID
Value:
E3099CA828B03D405118E120E7F47A2E0C9F3BAC50961AB996E2E681BFA6CB282D1BE0E214F69E035CF635D867A9D02DE0AF2F70EC40389505E53C71B2E28A0E
Domain:
Path: /
HasKeys: False
Expires: 1/1/0001 12:00:00 AM

Name: ASP.NET_SessionId
Value: yyvr3w55ryhmmyugovdllxex
Domain:
Path: /
HasKeys: False
Expires: 1/1/0001 12:00:00 AM

Ticket Name: 1
Ticket Path: /
Ticket Issue Date: 9/27/2006 5:35:27 PM
Ticket Expires: 9/30/2006 5:35:27 PM
Ticket Expired: False
Ticket Is Persistent: False

As you can see, the ticket is set to expire in 72 hours. However, after
about 20-30 minutes of inactivity, my ticket appears to expire -- I am
redirected to the login page, and the test page throws an error because
User.Identity is null.

What am I missing?

Thanks in advance,
Alyssa

 

[bmjnine]

Just curious -- what is it that indicates the cookies are not being
properly set?

I am using the following code to set the ticket:

(signin.aspx)
------------------
void Page_Load(Object s, EventArgs e) {
if (IsPostBack) {
int signinResult =
Authenticator.SignIn(TextBox_Email.Text,TextBox_Password.Text);
if (signinResult == 1)

FormsAuthentication.RedirectFromLoginPage(Authenticator.UserID, false);
else
Label_Error.Text = "That email/password combination is
invalid. Please try again.";
}
}
}

(Authenticator.cs)
------------------------
public class Authenticator
{
public Authenticator()
{
}

public static HttpCookie CookieObj
{
get
{
if (HttpContext.Current.Request.Cookies["UserInfo"] == null)
return new HttpCookie("UserInfo");
else
return HttpContext.Current.Request.Cookies["UserInfo"];
}
set
{
System.Web.HttpContext.Current.Response.Cookies.Add(value);
}
}

public static int SignIn(string email, string pw)
{
HttpCookie tmpCookieObj = new HttpCookie("UserInfo");
string sql = "SELECT FirstName, LastName, UserID FROM Users WHERE
EMail = '" + email.Trim() + "' " + "AND Password = '" + pw.Trim() +
"'";
using (OleDbConnection connectionObj = new
OleDbConnection(myConnectionString))
{
OleDbCommand Cmd = new OleDbCommand(sql,connectionObj);
connectionObj.Open();
OleDbDataReader DReader = Cmd.ExecuteReader();
if (DReader.Read())
{
string FirstName = DReader.GetString(0);
string LastName = DReader.GetString(1);
string UserID = DReader.GetInt32(2).ToString();
DReader.Close();
tmpCookieObj.Values.Add("FirstName", FirstName);
tmpCookieObj.Values.Add("LastName", LastName);
tmpCookieObj.Values.Add("UserID", UserID);
tmpCookieObj.Expires = DateTime.Now.AddDays(3);
CookieObj = tmpCookieObj;
return 1;
}
else
{
DReader.Close();
connectionObj.Close();
return -1;
}
}
}

public static string UserID
{
get
{
if (CookieObj["UserID"] != null)
return CookieObj["UserID"];
else
return String.Empty;
}
}
}


I should also now note the other cookie that appears on the test page
(previously omitted):

Name: UserInfo
Value: FirstName=Joe&LastName=Smith&UserID=1
Domain:
Path: /
HasKeys: True
Expires: 1/1/0001 12:00:00 AM

Thanks,
Alyssa

 

[bmjnine]

I've read in other posts that persistent cookies do not have an
expiration date/time, and therefore report their "Expires" property as
the min date/time, which is "1/1/0001 12:00:00 AM". Is that not the
case? Plus, if that was the actual expiration date, wouldn't I be
logged out immediately since it is in the past? I stay logged in for 20
minutes.

Regardless, are you able to tell what I'm doing wrong as far as setting
the ticket/expiration?

Also, after my initial post, I realized that I was setting the Ticket
Name incorrectly, passing the UserID VALUE instead of the actual name
"UserID". So I changed that, and am now getting what *should* be
correct:

(test.aspx)
-------------------
Name: UserInfo
Value: FirstName=Joe&LastName=Smith&UserID=1
Domain:
Path: /
HasKeys: True
Expires: 1/1/0001 12:00:00 AM

Name: UserID
Value:
1BD13F779BB44DC9026C6C87DE0D7B98680CF1D50067D92C372F76A7DCEBC99AAF8C304D755091F8A202A9CF5FBB700D9991F10E4D61F1E8AE445C0C1BA250660A0B1F2D1CC30391
Domain:
Path: /
HasKeys: False
Expires: 1/1/0001 12:00:00 AM

Name: ASP.NET_SessionId
Value: 3p1cuanf4bdozs45qpfesl55
Domain:
Path: /
HasKeys: False
Expires: 1/1/0001 12:00:00 AM

Ticket Name: UserID
Ticket Path: /
Ticket Issue Date: 10/3/2006 6:08:42 PM
Ticket Expires: 10/6/2006 6:08:42 PM
Ticket Expired: False
Ticket Is Persistent: False


HOWEVER, even with this change it still doesn't work -- I still am
prompted to login after 20 minutes or so!!

I'm still baffled...

Alyssa