Cookies expiring when user logs out?

[Steve]

I'm using forms authentication with my .net 2.0 site.
I'm setting some cookies after the user logs in, and as long
as they stay logged in I can "see" the cookies on subsequent posts.

The problem is that as soon as the user logs out, the cookies are gone.
I know ASP will expire the Ticket cookie, but does it expire
all other cookies too?

Anyone else ever experience this? Is it by design?

Thanks!
S

 

[Scott M.]

How are you setting your cookies? If you aren't providing a good expiration
date, the cookies will become "session" cookies, which only last as long as
the session does.

 

[Steve]

Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left out.

In the Page_Load event, the cookie is always null after they've logged out.

Thanks for your quick reply! Let me know if you see anything else I may have
missed.
S



protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
}
}

protected void Login1_LoggedIn(object sender, EventArgs e) {
if (Login1.RememberMeSet) {
HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
cook.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cook);
}
}

 

[Steve]

HA! Do I feel like an idiot:
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
I was checking the Request object if it was null, but referencing the
Response object to get the value. DUH!!!

Sorry for the bother and thanks for your help!!!
S

Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left out.

In the Page_Load event, the cookie is always null after they've logged out.

Thanks for your quick reply! Let me know if you see anything else I may have
missed.
S



protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
}
}

protected void Login1_LoggedIn(object sender, EventArgs e) {
if (Login1.RememberMeSet) {
HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
cook.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cook);
}
}

How are you setting your cookies? If you aren't providing a good expiration
date, the cookies will become "session" cookies, which only last as long as
the session does.

 

[Dominick Baier]

What happens if someone manually changes the empid cookie on the client?

Will that bring your app in trouble (maybe even security trouble) ?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

HA! Do I feel like an idiot:
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
I was checking the Request object if it was null, but referencing the
Response object to get the value. DUH!!!

Sorry for the bother and thanks for your help!!!
S

Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have
to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left
out.
In the Page_Load event, the cookie is always null after they've
logged out.

Thanks for your quick reply! Let me know if you see anything else I
may have
missed.
S
protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
}
}
protected void Login1_LoggedIn(object sender, EventArgs e) {
if (Login1.RememberMeSet) {
HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
cook.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cook);
}
}

How are you setting your cookies? If you aren't providing a good
expiration date, the cookies will become "session" cookies, which
only last as long as the session does.


I'm using forms authentication with my .net 2.0 site.
I'm setting some cookies after the user logs in, and as long
as they stay logged in I can "see" the cookies on subsequent posts.
The problem is that as soon as the user logs out, the cookies are
gone.
I know ASP will expire the Ticket cookie, but does it expire
all other cookies too?
Anyone else ever experience this? Is it by design?

Thanks!
S

 

[Scott M.]

I was checking the Request object if it was null, but referencing the

Response object to get the value. DUH!!!

Actually you were doing it the other way around!

 

[Steve]

This isn't a public web site, only internal to our intranet, and it's only
being used by people on my team, so security concerns of this nature aren't
paramount.
Forms authentication for this app is used more as a way of establishing ID
vs security.

Thanks for the heads up though.....

What happens if someone manually changes the empid cookie on the client?

Will that bring your app in trouble (maybe even security trouble) ?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

HA! Do I feel like an idiot:
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
I was checking the Request object if it was null, but referencing the
Response object to get the value. DUH!!!

Sorry for the bother and thanks for your help!!!
S

Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have
to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left
out.
In the Page_Load event, the cookie is always null after they've
logged out.

Thanks for your quick reply! Let me know if you see anything else I
may have
missed.
S
protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
}
}
protected void Login1_LoggedIn(object sender, EventArgs e) {
if (Login1.RememberMeSet) {
HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
cook.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cook);
}
}
:

How are you setting your cookies? If you aren't providing a good
expiration date, the cookies will become "session" cookies, which
only last as long as the session does.


I'm using forms authentication with my .net 2.0 site.
I'm setting some cookies after the user logs in, and as long
as they stay logged in I can "see" the cookies on subsequent posts.
The problem is that as soon as the user logs out, the cookies are
gone.
I know ASP will expire the Ticket cookie, but does it expire
all other cookies too?
Anyone else ever experience this? Is it by design?

Thanks!
S