Cookies expiring when user logs out?

Discussion in 'ASP .Net Security' started by Steve, Jul 5, 2007.

  1. Steve

    Steve Guest

    I'm using forms authentication with my .net 2.0 site.
    I'm setting some cookies after the user logs in, and as long
    as they stay logged in I can "see" the cookies on subsequent posts.

    The problem is that as soon as the user logs out, the cookies are gone.
    I know ASP will expire the Ticket cookie, but does it expire
    all other cookies too?

    Anyone else ever experience this? Is it by design?

    Thanks!
    S
     
    Steve, Jul 5, 2007
    #1
    1. Advertising

  2. Steve

    Scott M. Guest

    How are you setting your cookies? If you aren't providing a good expiration
    date, the cookies will become "session" cookies, which only last as long as
    the session does.


    "Steve" <> wrote in message
    news:...
    > I'm using forms authentication with my .net 2.0 site.
    > I'm setting some cookies after the user logs in, and as long
    > as they stay logged in I can "see" the cookies on subsequent posts.
    >
    > The problem is that as soon as the user logs out, the cookies are gone.
    > I know ASP will expire the Ticket cookie, but does it expire
    > all other cookies too?
    >
    > Anyone else ever experience this? Is it by design?
    >
    > Thanks!
    > S
    >
     
    Scott M., Jul 5, 2007
    #2
    1. Advertising

  3. Steve

    Steve Guest

    Here's the code... as you can see I am setting the expiration date.
    In the page load I'm looking for the cookie so my team doesn't have to enter
    their User ID every time.
    I'm posting all the code just in case you see anything else I've left out.

    In the Page_Load event, the cookie is always null after they've logged out.

    Thanks for your quick reply! Let me know if you see anything else I may have
    missed.
    S



    protected void Page_Load(object sender, EventArgs e) {
    if (!IsPostBack) {
    if (Request.Cookies["EmpID"] != null) {
    Login1.UserName = Response.Cookies["EmpID"].Value;
    }
    }
    }

    protected void Login1_LoggedIn(object sender, EventArgs e) {
    if (Login1.RememberMeSet) {
    HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
    cook.Expires = DateTime.Now.AddYears(1);
    Response.Cookies.Add(cook);
    }
    }

    "Scott M." wrote:

    > How are you setting your cookies? If you aren't providing a good expiration
    > date, the cookies will become "session" cookies, which only last as long as
    > the session does.
    >
    >
    > "Steve" <> wrote in message
    > news:...
    > > I'm using forms authentication with my .net 2.0 site.
    > > I'm setting some cookies after the user logs in, and as long
    > > as they stay logged in I can "see" the cookies on subsequent posts.
    > >
    > > The problem is that as soon as the user logs out, the cookies are gone.
    > > I know ASP will expire the Ticket cookie, but does it expire
    > > all other cookies too?
    > >
    > > Anyone else ever experience this? Is it by design?
    > >
    > > Thanks!
    > > S
    > >

    >
    >
    >
     
    Steve, Jul 5, 2007
    #3
  4. Steve

    Steve Guest

    HA! Do I feel like an idiot:
    if (Request.Cookies["EmpID"] != null) {
    Login1.UserName = Response.Cookies["EmpID"].Value;
    }
    I was checking the Request object if it was null, but referencing the
    Response object to get the value. DUH!!!

    Sorry for the bother and thanks for your help!!!
    S


    "Steve" wrote:

    > Here's the code... as you can see I am setting the expiration date.
    > In the page load I'm looking for the cookie so my team doesn't have to enter
    > their User ID every time.
    > I'm posting all the code just in case you see anything else I've left out.
    >
    > In the Page_Load event, the cookie is always null after they've logged out.
    >
    > Thanks for your quick reply! Let me know if you see anything else I may have
    > missed.
    > S
    >
    >
    >
    > protected void Page_Load(object sender, EventArgs e) {
    > if (!IsPostBack) {
    > if (Request.Cookies["EmpID"] != null) {
    > Login1.UserName = Response.Cookies["EmpID"].Value;
    > }
    > }
    > }
    >
    > protected void Login1_LoggedIn(object sender, EventArgs e) {
    > if (Login1.RememberMeSet) {
    > HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
    > cook.Expires = DateTime.Now.AddYears(1);
    > Response.Cookies.Add(cook);
    > }
    > }
    >
    > "Scott M." wrote:
    >
    > > How are you setting your cookies? If you aren't providing a good expiration
    > > date, the cookies will become "session" cookies, which only last as long as
    > > the session does.
    > >
    > >
    > > "Steve" <> wrote in message
    > > news:...
    > > > I'm using forms authentication with my .net 2.0 site.
    > > > I'm setting some cookies after the user logs in, and as long
    > > > as they stay logged in I can "see" the cookies on subsequent posts.
    > > >
    > > > The problem is that as soon as the user logs out, the cookies are gone.
    > > > I know ASP will expire the Ticket cookie, but does it expire
    > > > all other cookies too?
    > > >
    > > > Anyone else ever experience this? Is it by design?
    > > >
    > > > Thanks!
    > > > S
    > > >

    > >
    > >
    > >
     
    Steve, Jul 5, 2007
    #4
  5. What happens if someone manually changes the empid cookie on the client?

    Will that bring your app in trouble (maybe even security trouble) ?


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > HA! Do I feel like an idiot:
    > if (Request.Cookies["EmpID"] != null) {
    > Login1.UserName = Response.Cookies["EmpID"].Value;
    > }
    > I was checking the Request object if it was null, but referencing the
    > Response object to get the value. DUH!!!
    >
    > Sorry for the bother and thanks for your help!!!
    > S
    > "Steve" wrote:
    >
    >> Here's the code... as you can see I am setting the expiration date.
    >> In the page load I'm looking for the cookie so my team doesn't have
    >> to enter
    >> their User ID every time.
    >> I'm posting all the code just in case you see anything else I've left
    >> out.
    >> In the Page_Load event, the cookie is always null after they've
    >> logged out.
    >>
    >> Thanks for your quick reply! Let me know if you see anything else I
    >> may have
    >> missed.
    >> S
    >> protected void Page_Load(object sender, EventArgs e) {
    >> if (!IsPostBack) {
    >> if (Request.Cookies["EmpID"] != null) {
    >> Login1.UserName = Response.Cookies["EmpID"].Value;
    >> }
    >> }
    >> }
    >> protected void Login1_LoggedIn(object sender, EventArgs e) {
    >> if (Login1.RememberMeSet) {
    >> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
    >> cook.Expires = DateTime.Now.AddYears(1);
    >> Response.Cookies.Add(cook);
    >> }
    >> }
    >> "Scott M." wrote:
    >>
    >>> How are you setting your cookies? If you aren't providing a good
    >>> expiration date, the cookies will become "session" cookies, which
    >>> only last as long as the session does.
    >>>
    >>> "Steve" <> wrote in message
    >>> news:...
    >>>
    >>>> I'm using forms authentication with my .net 2.0 site.
    >>>> I'm setting some cookies after the user logs in, and as long
    >>>> as they stay logged in I can "see" the cookies on subsequent posts.
    >>>> The problem is that as soon as the user logs out, the cookies are
    >>>> gone.
    >>>> I know ASP will expire the Ticket cookie, but does it expire
    >>>> all other cookies too?
    >>>> Anyone else ever experience this? Is it by design?
    >>>>
    >>>> Thanks!
    >>>> S
     
    Dominick Baier, Jul 5, 2007
    #5
  6. Steve

    Scott M. Guest

    > I was checking the Request object if it was null, but referencing the
    > Response object to get the value. DUH!!!


    Actually you were doing it the other way around!
     
    Scott M., Jul 5, 2007
    #6
  7. Steve

    Steve Guest

    This isn't a public web site, only internal to our intranet, and it's only
    being used by people on my team, so security concerns of this nature aren't
    paramount.
    Forms authentication for this app is used more as a way of establishing ID
    vs security.

    Thanks for the heads up though.....

    "Dominick Baier" wrote:

    > What happens if someone manually changes the empid cookie on the client?
    >
    > Will that bring your app in trouble (maybe even security trouble) ?
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > HA! Do I feel like an idiot:
    > > if (Request.Cookies["EmpID"] != null) {
    > > Login1.UserName = Response.Cookies["EmpID"].Value;
    > > }
    > > I was checking the Request object if it was null, but referencing the
    > > Response object to get the value. DUH!!!
    > >
    > > Sorry for the bother and thanks for your help!!!
    > > S
    > > "Steve" wrote:
    > >
    > >> Here's the code... as you can see I am setting the expiration date.
    > >> In the page load I'm looking for the cookie so my team doesn't have
    > >> to enter
    > >> their User ID every time.
    > >> I'm posting all the code just in case you see anything else I've left
    > >> out.
    > >> In the Page_Load event, the cookie is always null after they've
    > >> logged out.
    > >>
    > >> Thanks for your quick reply! Let me know if you see anything else I
    > >> may have
    > >> missed.
    > >> S
    > >> protected void Page_Load(object sender, EventArgs e) {
    > >> if (!IsPostBack) {
    > >> if (Request.Cookies["EmpID"] != null) {
    > >> Login1.UserName = Response.Cookies["EmpID"].Value;
    > >> }
    > >> }
    > >> }
    > >> protected void Login1_LoggedIn(object sender, EventArgs e) {
    > >> if (Login1.RememberMeSet) {
    > >> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
    > >> cook.Expires = DateTime.Now.AddYears(1);
    > >> Response.Cookies.Add(cook);
    > >> }
    > >> }
    > >> "Scott M." wrote:
    > >>
    > >>> How are you setting your cookies? If you aren't providing a good
    > >>> expiration date, the cookies will become "session" cookies, which
    > >>> only last as long as the session does.
    > >>>
    > >>> "Steve" <> wrote in message
    > >>> news:...
    > >>>
    > >>>> I'm using forms authentication with my .net 2.0 site.
    > >>>> I'm setting some cookies after the user logs in, and as long
    > >>>> as they stay logged in I can "see" the cookies on subsequent posts.
    > >>>> The problem is that as soon as the user logs out, the cookies are
    > >>>> gone.
    > >>>> I know ASP will expire the Ticket cookie, but does it expire
    > >>>> all other cookies too?
    > >>>> Anyone else ever experience this? Is it by design?
    > >>>>
    > >>>> Thanks!
    > >>>> S

    >
    >
    >
     
    Steve, Jul 6, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Kelly

    Expiring cookies

    Jim Kelly, Aug 1, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    603
    someone
    Aug 5, 2003
  2. Replies:
    2
    Views:
    3,949
  3. Replies:
    0
    Views:
    445
  4. Omer
    Replies:
    5
    Views:
    323
    Juan T. Llibre
    Dec 8, 2006
  5. _Who
    Replies:
    7
    Views:
    2,687
Loading...

Share This Page