Forms Authenication Cookie Not Expiring Correctly

Discussion in 'ASP .Net' started by =?Utf-8?B?TWlrZQ==?=, Jun 7, 2004.

  1. I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
    =?Utf-8?B?TWlrZQ==?=, Jun 7, 2004
    #1
    1. Advertising

  2. I have tracked it down to the code in the global.asax. If i comment out the Application_AuthenticateRequest code the user is redirected to the login page after the authentication ticket has expired. I don't know why the cookie is in the Request object as it should have expired and never sent to the server. Is this a bug in MS's example or in the way that the expiration time is set on the cookie or in the fact that the cookie is being sent to the server??? Thanks

    Mik

    protected void Application_AuthenticateRequest(Object sender, EventArgs e

    //extract the forms authentication cooki
    string cookieName = FormsAuthentication.FormsCookieName
    HttpCookie authCookie = Context.Request.Cookies[cookieName]

    if (null == authCookie

    //there is no authentication cooki
    return


    //extract and decrypt the authentication ticket from the forms authentication cooki
    FormsAuthenticationTicket authTicket = null
    try

    authTicket = FormsAuthentication.Decrypt(authCookie.Value)

    catch//(Exception ex

    return


    if (null == authTicket

    //cookie failed to decry
    return

    else if (authTicket.Expired

    return


    //parse out the pipe separate list of role names attached to the ticket whe
    //the user was originally authenticate
    //when the ticket was created, the UserData property was assigned
    //pipe delimited string of role name
    string[] roles = authTicket.UserData.Split(new char[] {'|'})

    //create a FormsIdentity object with the user name obtained from the ticket nam
    //and a GenericPrincipal object that contains this identity together with the user's role lis

    //create an Identity objec
    FormsIdentity id = new FormsIdentity(authTicket)

    //this principal will flow throughout the reques
    GenericPrincipal principal = new GenericPrincipal(id, roles)

    //attach the new principal object to the current HttpContext objec
    Context.User = principal


    ----- Mike wrote: ----

    I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
    =?Utf-8?B?TWlrZQ==?=, Jun 7, 2004
    #2
    1. Advertising

  3. "Mike" <> wrote in message
    news:...
    >
    > I have tracked it down to the code in the global.asax. If i comment

    out the Application_AuthenticateRequest code the user is redirected to the
    login page after the authentication ticket has expired. I don't know why the
    cookie is in the Request object as it should have expired and never sent to
    the server. Is this a bug in MS's example or in the way that the expiration
    time is set on the cookie or in the fact that the cookie is being sent to
    the server??? Thanks!

    Check on the domain being assigned to the cookie. If you get different
    results based on the URL, it's probably a domain problem (though there's a
    small chance it could be a path problem).
    --
    John Saunders
    johnwsaundersiii at hotmail
    John Saunders, Jun 7, 2004
    #3
  4. Hardcoded domain before cookie was sent to browser and still have same problem. The path is set to "/"

    Mik

    ----- John Saunders wrote: ----

    "Mike" <> wrote in messag
    news:..
    >> I have tracked it down to the code in the global.asax. If i commen

    out the Application_AuthenticateRequest code the user is redirected to th
    login page after the authentication ticket has expired. I don't know why th
    cookie is in the Request object as it should have expired and never sent t
    the server. Is this a bug in MS's example or in the way that the expiratio
    time is set on the cookie or in the fact that the cookie is being sent t
    the server??? Thanks

    Check on the domain being assigned to the cookie. If you get differen
    results based on the URL, it's probably a domain problem (though there's
    small chance it could be a path problem)
    --
    John Saunder
    johnwsaundersiii at hotmai
    =?Utf-8?B?TWlrZQ==?=, Jun 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. LouB
    Replies:
    0
    Views:
    323
  2. rh.krish
    Replies:
    0
    Views:
    726
    rh.krish
    Apr 9, 2008
  3. Replies:
    3
    Views:
    793
    Matthijs Krempel
    Apr 10, 2008
  4. Pete
    Replies:
    0
    Views:
    145
  5. Eric
    Replies:
    2
    Views:
    466
Loading...

Share This Page