Cookie expiration

Discussion in 'ASP .Net' started by Oriane, Jan 16, 2009.

  1. Oriane

    Oriane Guest

    Hi there,

    I have deployed my asp.Net 2.0 site and I use a "login" component for the
    forms authentication.
    Some of my users are telling me that they lost their "credentials" although
    they have checked the "Remember me" checkbox.
    I've googled a little, but I'm confused with the "authentication timeout"
    and the "session timeout" concepts...

    Best regards.

    Oriane
    Oriane, Jan 16, 2009
    #1
    1. Advertising

  2. On Jan 16, 3:49 pm, "Oriane" <> wrote:
    > Hi there,
    >
    > I have deployed my asp.Net 2.0 site and I use a "login" component for the
    > forms authentication.
    > Some of my users are telling me that they lost their "credentials" although
    > they have checked the "Remember me" checkbox.
    > I've googled a little, but I'm confused with the "authentication timeout"
    > and the "session timeout" concepts...
    >
    > Best regards.
    >
    > Oriane


    Hi Oriane

    "Remember me" based on cookies. Are you sure they don't delete cookies
    after they visited your site?
    Also, take a look here, maybe you have this problem too
    http://forums.asp.net/p/947381/1147268.aspx

    Hope this helps
    Alexey Smirnov, Jan 16, 2009
    #2
    1. Advertising

  3. Oriane

    Steven Cheng Guest

    Hi Oriane,

    From your description, in your ASP.NET web application which use Forms
    authentcation, sometimes the user will encounter unexpected logout
    behavior, correct?

    As for this problem, I think it is possible that the forms authentication
    ticket(generated after user has login/passed the login form) has been lost
    or invalid. Are you using the LoginControl to login user(or manually write
    code to login, such as FormsAuthentication.RedirectFrom.....)?

    Here are some possible causes I can get, you may have a look over them to
    see whether the issue is caused by any of them:

    ** Since ASP.NET forums authentication rely on cookie to store the
    authentication ticket, we have to ensure the client-side browser has fully
    support on cookie so that the problem is not caused by client-side.

    ** As for forms authentication, it has a timeout setting, you can check
    whether this setting has been manually changed or is configured as a proper
    value(or if you leave it as default):

    #Forms Authentication timeout default in ASP.NET 2.0
    http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx


    ** The machinekey problem. And this is what I think the most likely cause.
    ASP.NET application need to encrypt and sign many data(such as ViewState,
    WebResource url string, and FormsAuthentidcation ticket). However, the Key
    used to encrypt/sign data is by default auto-generated by Appdomain, and
    the key will change whenever the appdomain restart. Therefore, if your
    ASP.NET application has restarted due to some reason(such as unhandled
    exception), the forms authentication ticket(and other data rely on the
    machine key ) will become invalid for the new application
    instance(appdomain). One means to resolve this problem is manually specify
    a machinekey for your ASP.NET web application. Here is a msdn article which
    introduce the machinekey usage in ASP.NET 2.0:

    #How To: Configure MachineKey in ASP.NET 2.0
    http://msdn.microsoft.com/en-us/library/ms998288.aspx

    If there is anything unclear on this, please feel free to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.




    --------------------
    >From: "Oriane" <>
    >Subject: Cookie expiration
    >Date: Fri, 16 Jan 2009 15:49:24 +0100


    >
    >Hi there,
    >
    >I have deployed my asp.Net 2.0 site and I use a "login" component for the
    >forms authentication.
    >Some of my users are telling me that they lost their "credentials"

    although
    >they have checked the "Remember me" checkbox.
    >I've googled a little, but I'm confused with the "authentication timeout"
    >and the "session timeout" concepts...
    >
    >Best regards.
    >
    >Oriane
    >
    >
    Steven Cheng, Jan 19, 2009
    #3
  4. Oriane

    Oriane Guest

    Hi Steven,
    ""Steven Cheng"" <> a écrit dans le message de
    news:iPqWV$...
    > Hi Oriane,
    >
    > From your description, in your ASP.NET web application which use Forms
    > authentcation, sometimes the user will encounter unexpected logout
    > behavior, correct?

    No :-( When the user connect to my site, I want that on the login page, its
    login and password are automatically filled in, if he has check the
    "Remember me" checkbox in the asp.net login component.

    Apparently, this is not always the case for my web users...

    Have a nice day
    Oriane, Jan 19, 2009
    #4
  5. On Jan 19, 2:15 pm, "Oriane" <> wrote:
    > Hi Steven,
    > ""Steven Cheng"" <> a écrit dans le message denews:iPqWV$...> Hi Oriane,
    >
    > > From your description, in your ASP.NET web application which use Forms
    > > authentcation, sometimes the user will encounter unexpected logout
    > > behavior, correct?

    >
    > No :-(  When the user connect to my site, I want that on the login page, its
    > login and password are automatically filled in, if he has check the
    > "Remember me" checkbox in the asp.net login component.
    >
    > Apparently, this is not always the case for my web users...
    >
    > Have a nice day


    "Remember me" works differently. If you set the DisplayRememberMe
    property to true and a user selected the Remember me, the
    authentication token will be stored in a persistent cookie in the
    browser with a default expiry of 50 years. It means next time when he
    or she logs in, he/she will be authenticated automatically without
    showing the login form.
    Alexey Smirnov, Jan 19, 2009
    #5
  6. Oriane

    Oriane Guest

    Hi Alexey,
    "Alexey Smirnov" <> a écrit dans le message de
    news:...

    "Remember me" works differently. If you set the DisplayRememberMe
    property to true and a user selected the Remember me, the
    authentication token will be stored in a persistent cookie in the
    browser with a default expiry of 50 years. It means next time when he
    or she logs in, he/she will be authenticated automatically without
    showing the login form.
    So what could explain that the persistent cookie disappears after a while
    ??? (I'm sure that lmy users don't explictely delete their cookies !).

    Oriane
    Oriane, Jan 19, 2009
    #6
  7. Oriane

    Oriane Guest

    Ok I've undertstood (I think). After the session expiration, the user is
    automatically logged out, and THEN he has to retype his login/password. So I
    suppose that the cookie (is it the same) is deleted even if it is
    persistent.
    Oriane, Jan 19, 2009
    #7
  8. On Jan 19, 4:17 pm, "Oriane" <> wrote:
    > Ok I've undertstood (I think). After the session expiration, the user is
    > automatically logged out, and THEN he has to retype his login/password. So I
    > suppose that the cookie (is it the same) is deleted even if it is
    > persistent.


    From what I understood, it is working but not for all users. So, I
    suppose they delete cookies. They could also check what Privacy
    settings (IE - Tools - Internet Options) they have. It can be that
    they restrict all/certain cookies.

    Hope this helps
    Alexey Smirnov, Jan 19, 2009
    #8
  9. Oriane

    Steven Cheng Guest

    Hi Oriane,

    Yes, ASP.NET forums authentication rely on a ticket( store in cookie) to
    identify whether user is authenticated. There are several causes that could
    make authentication ticket no longer exist or valid. That's why I give you
    the list to check:

    ** client-side browser setting, or whether user has manually cleared cookie

    ** the "timeout" setting of forms authentication. This is also how the
    forms authentication cookie is generated(the lifetime). Even you choose to
    persist cookie, it will still have a lifetime, not forever

    ** the machinekey, if the encryption key used for ticket changed, the
    client-side ticket will become invalid, in that case the user will also be
    redirct to login form.

    For detailed check list and info, you can refer to my first reply.
    Hope this helps.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.





    --------------------
    >From: "Oriane" <>
    >Subject: Re: Cookie expiration
    >Date: Mon, 19 Jan 2009 16:17:52 +0100


    >
    >Ok I've undertstood (I think). After the session expiration, the user is
    >automatically logged out, and THEN he has to retype his login/password. So

    I
    >suppose that the cookie (is it the same) is deleted even if it is
    >persistent.
    >
    >
    Steven Cheng, Jan 20, 2009
    #9
  10. Oriane

    Steven Cheng Guest

    Hi Oriane,

    Do you still have any question on this?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    --------------------
    >From: ("Steven Cheng")
    >Organization: Microsoft
    >Date: Tue, 20 Jan 2009 03:20:59 GMT
    >Subject: Re: Cookie expiration


    >
    >Hi Oriane,
    >
    >Yes, ASP.NET forums authentication rely on a ticket( store in cookie) to
    >identify whether user is authenticated. There are several causes that

    could
    >make authentication ticket no longer exist or valid. That's why I give you
    >the list to check:
    >
    >** client-side browser setting, or whether user has manually cleared cookie
    >
    >** the "timeout" setting of forms authentication. This is also how the
    >forms authentication cookie is generated(the lifetime). Even you choose to
    >persist cookie, it will still have a lifetime, not forever
    >
    >** the machinekey, if the encryption key used for ticket changed, the
    >client-side ticket will become invalid, in that case the user will also be
    >redirct to login form.
    >
    >For detailed check list and info, you can refer to my first reply.
    >Hope this helps.
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead
    >
    >
    Steven Cheng, Jan 28, 2009
    #10
  11. Oriane

    Oriane Guest

    Hi Steven,
    ""Steven Cheng"" <> a écrit dans le message de
    news:...
    > Hi Oriane,
    >
    > Do you still have any question on this?

    No, since I can't really figure out how all that stuff works even if I've
    tried to understand the difference between the session expiration, the
    cookie time-out, the authentication time-out...
    I didn't succeeded in avoiding my users to type their passwords from time to
    time...

    Best regards
    Oriane, Jan 29, 2009
    #11
  12. On Jan 29, 9:46 am, "Oriane" <> wrote:
    > Hi Steven,
    > ""Steven Cheng"" <> a écrit dans le message denews:...> Hi Oriane,
    >
    > > Do you still have any question on this?

    >
    > No, since I can't really figure out how all that stuff works even if I've
    > tried to understand the difference between the session expiration, the
    > cookie time-out, the authentication time-out...
    > I didn't succeeded in avoiding my users to type their passwords from time to
    > time...
    >
    > Best regards


    One thing I forgot to tell you and nobody mentioned anything about
    this is the following. If you used http://www.site.com/login.aspx then
    it saved cookies for www.site.com and "remember me" would work. Then
    if you came to http://site.com/login.aspx you will not be
    automatically authenticated because cookies are not shared among www.site.com
    and site.com. Maybe this is a reason of the problem?

    In order to set cookies accessible by both links, you need to
    explicitly set the domain for the cookie. Set the cookie domain to
    ".site.com", you can set it in web.config:

    <authentication mode="Forms">
    <forms loginUrl="~/login.aspx" domain=".site.com"/>
    </authentication>

    Another way is to redirect requests from site.com to www.site.com.

    If this is still not working and you believe that clients do not
    delete cookies, please post your code and web.config configuration. It
    is hard to diagnose the problem without seeing the code.

    Hope this helps
    Alexey Smirnov, Jan 29, 2009
    #12
  13. Oriane

    Steven Cheng Guest

    Hi Oriane,

    As for forms authentication, the ticket timeout doen't have much things
    related to session, therefore you do not need to care about session
    timeout. The timeout setting I mentioned is the forms authentication's
    timeout(for the ticket). Just set via the following configuration element:

    ==========
    <system.web>
    <authentication mode="Forms">
    <forms timeout="30"/>
    ============

    #Understanding the Forms Authentication Ticket and Cookie
    http://support.microsoft.com/kb/910443

    Also, have you also checked the "application restart" case? You can use
    some code to monitor application restart/shutdown cases to see whether the
    users log their authentication ticket after some certain application
    restart incidents.

    #Logging ASP.NET Application Shutdown Events
    http://weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx''

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    --------------------
    >From: "Oriane" <>
    >Subject: Re: Cookie expiration
    >Date: Thu, 29 Jan 2009 09:46:28 +0100


    >
    >Hi Steven,
    >""Steven Cheng"" <> a écrit dans le message de
    >news:...
    >> Hi Oriane,
    >>
    >> Do you still have any question on this?

    >No, since I can't really figure out how all that stuff works even if I've
    >tried to understand the difference between the session expiration, the
    >cookie time-out, the authentication time-out...
    >I didn't succeeded in avoiding my users to type their passwords from time

    to
    >time...
    >
    >Best regards
    >
    >
    Steven Cheng, Jan 30, 2009
    #13
  14. Oriane

    Oriane Guest

    Hi Steven,
    ""Steven Cheng"" <> a écrit dans le message de
    news:$E$...
    > Hi Oriane,
    >
    > As for forms authentication, the ticket timeout doen't have much things
    > related to session, therefore you do not need to care about session
    > timeout. The timeout setting I mentioned is the forms authentication's
    > timeout(for the ticket). Just set via the following configuration element:
    >
    > ==========
    > <system.web>
    > <authentication mode="Forms">
    > <forms timeout="30"/>
    > ============

    ok.

    > #Understanding the Forms Authentication Ticket and Cookie
    > http://support.microsoft.com/kb/910443

    I will have a look.

    > Also, have you also checked the "application restart" case? You can use
    > some code to monitor application restart/shutdown cases to see whether the
    > users log their authentication ticket after some certain application
    > restart incidents.

    I log these events. Do you mean "whether the
    > users LOST their authentication ticket after some ..." ?
    >
    > #Logging ASP.NET Application Shutdown Events
    > http://weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx''
    >


    Thanks for your answer
    Oriane, Feb 3, 2009
    #14
  15. Oriane

    Oriane Guest

    Hi Alexey,
    "Alexey Smirnov" <> a écrit dans le message de
    news:...

    > One thing I forgot to tell you and nobody mentioned anything about
    > this is the following. If you used http://www.site.com/login.aspx then
    >it saved cookies for www.site.com and "remember me" would work. Then
    > if you came to http://site.com/login.aspx you will not be
    >automatically authenticated because cookies are not shared among
    >www.site.com
    >and site.com. Maybe this is a reason of the problem?

    No.

    >In order to set cookies accessible by both links, you need to
    >explicitly set the domain for the cookie. Set the cookie domain to
    >".site.com", you can set it in web.config:


    <authentication mode="Forms">
    <forms loginUrl="~/login.aspx" domain=".site.com"/>
    </authentication>
    Ah... Interesting...

    >If this is still not working and you believe that clients do not
    > delete cookies, please post your code and web.config configuration. It
    > is hard to diagnose the problem without seeing the code.

    I'm afraid this is impossible... :-(

    Best regards
    Oriane, Feb 3, 2009
    #15
  16. Oriane

    Steven Cheng Guest

    Thanks for your followup Oriane,

    Since you've added code to log the application restart event, have you
    found any restart log entries or does the forms authentication
    timout/ticket lost somewhat matchs the restart intervals? If so, I think
    it's the time you can have a look at the following article:

    #How To: Configure MachineKey in ASP.NET 2.0
    http://msdn.microsoft.com/en-us/library/ms998288.aspx

    the above reference mentioned how to explicitly set a machinekey for your
    web application so that the forms authentication ticket will be secured via
    a fixed key(instead of a random generated key which will vary after
    application restart).

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    s.

    --------------------
    >From: "Oriane" <>
    >References: <>

    <iPqWV$> <56A88239-3D07
    >Subject: Re: Cookie expiration
    >Date: Tue, 3 Feb 2009 13:06:04 +0100


    >
    >Hi Steven,
    >""Steven Cheng"" <> a écrit dans le message de
    >news:$E$...
    >> Hi Oriane,
    >>
    >> As for forms authentication, the ticket timeout doen't have much things
    >> related to session, therefore you do not need to care about session
    >> timeout. The timeout setting I mentioned is the forms authentication's
    >> timeout(for the ticket). Just set via the following configuration

    element:
    >>
    >> ==========
    >> <system.web>
    >> <authentication mode="Forms">
    >> <forms timeout="30"/>
    >> ============

    >ok.
    >
    >> #Understanding the Forms Authentication Ticket and Cookie
    >> http://support.microsoft.com/kb/910443

    >I will have a look.
    >
    >> Also, have you also checked the "application restart" case? You can use
    >> some code to monitor application restart/shutdown cases to see whether

    the
    >> users log their authentication ticket after some certain application
    >> restart incidents.

    >I log these events. Do you mean "whether the
    >> users LOST their authentication ticket after some ..." ?
    >>
    >> #Logging ASP.NET Application Shutdown Events
    >> http://weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx''
    >>

    >
    >Thanks for your answer
    >
    >
    Steven Cheng, Feb 4, 2009
    #16
  17. Oriane

    Steven Cheng Guest

    Thanks for your reply Oriane,

    ========================
    I can't tell...
    But do you mean that when the application restarts, it could invalidate my
    tickets since the MachineKey would be changed ?
    ======================
    Yes, forms authentication ticket is secured via encryption and the key is
    by default auto-generated(since no machinekey is explicitly assigned). So
    after application restart, encryption key changed, the former generated
    ticket will become invalid. This is a possible cause. You can try
    specifying a fixed machinekey to see whether it helps.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .


    --------------------
    >From: "Oriane" <>
    >Subject: Re: Cookie expiration
    >Date: Mon, 23 Feb 2009 12:06:56 +0100
    >
    >Hi Steven,
    >""Steven Cheng"" <> a écrit dans le message de
    >news:...
    >> Thanks for your followup Oriane,
    >>
    >> Since you've added code to log the application restart event, have you
    >> found any restart log entries or does the forms authentication
    >> timout/ticket lost somewhat matchs the restart intervals?

    >I can't tell...
    >But do you mean that when the application restarts, it could invalidate my
    >tickets since the MachineKey would be changed ?
    >
    >> If so, I think
    >> it's the time you can have a look at the following article:
    >>
    >> #How To: Configure MachineKey in ASP.NET 2.0
    >> http://msdn.microsoft.com/en-us/library/ms998288.aspx
    >>
    >> the above reference mentioned how to explicitly set a machinekey for your
    >> web application so that the forms authentication ticket will be secured
    >> via
    >> a fixed key(instead of a random generated key which will vary after
    >> application restart).

    >Ok I will read !
    >
    >
    Steven Cheng, Feb 6, 2009
    #17
  18. Oriane

    Steven Cheng Guest

    Hi Oriane,

    Any further progress on this? If you still have anything unclear, please
    feel free to let me know and I'd be glad to help.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    --------------------
    >From: ("Steven Cheng")
    >Organization: Microsoft
    >Date: Fri, 06 Feb 2009 04:12:11 GMT
    >Subject: Re: Cookie expiration


    >
    >Thanks for your reply Oriane,
    >
    >========================
    >I can't tell...
    >But do you mean that when the application restarts, it could invalidate my
    >tickets since the MachineKey would be changed ?
    >======================
    >Yes, forms authentication ticket is secured via encryption and the key is
    >by default auto-generated(since no machinekey is explicitly assigned). So
    >after application restart, encryption key changed, the former generated
    >ticket will become invalid. This is a possible cause. You can try
    >specifying a fixed machinekey to see whether it helps.
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead
    >
    >
    >Delighting our customers is our #1 priority. We welcome your comments and
    >suggestions about how we can improve the support we provide to you. Please
    >feel free to let my manager know what you think of the level of service
    >provided. You can send feedback directly to my manager at:
    >.
    >
    Steven Cheng, Feb 11, 2009
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian

    Cookie Expiration

    Brian, Jul 28, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    426
    Brian
    Jul 28, 2003
  2. =?Utf-8?B?T2xlZyBMZWlraW4=?=

    COOKIE EXPIRATION TIME

    =?Utf-8?B?T2xlZyBMZWlraW4=?=, Aug 1, 2004, in forum: ASP .Net
    Replies:
    15
    Views:
    1,135
    Scott M.
    Aug 4, 2004
  3. =?Utf-8?B?QmlsbCBCb3Jn?=

    Trying to understand ticket/cookie expiration

    =?Utf-8?B?QmlsbCBCb3Jn?=, Oct 8, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    356
    =?Utf-8?B?QmlsbCBCb3Jn?=
    Oct 8, 2004
  4. =?Utf-8?B?QmlsbCBCb3Jn?=

    What relationship between cookie and ticket expiration?

    =?Utf-8?B?QmlsbCBCb3Jn?=, Dec 22, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    377
    =?Utf-8?B?QmlsbCBCb3Jn?=
    Dec 23, 2004
  5. Walter Levine

    Expiration (cookie?)

    Walter Levine, Apr 26, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    360
    jensen bredal
    Apr 27, 2005
Loading...

Share This Page