J
Joey Powell
On my asp.net application, suddenly the forms authentication cookies
for all clients have quit expiring. This results in users being able
to
access the site from day to day without having to log in, even if
their
browers are closed and then reopened hours apart or even if their
machines
are rebooted.
This behavior did not occur in my application at first. The problem
only began after I modified the web.config file from not having a
timeout value at all (which should have used the default of 30mins?)
to a custom value of timeout="10". Anyways that wouldn't work right
for some reason so I took that out and went back to no entry for the
timeout value. That is when the problem started happening. Now, even
though I have manually added the timeout value back in and set it to
30, the cookies still never expire! I have posted a snippet of the
web.config file below as it is now...
<authentication mode="Forms">
<forms loginUrl="LogIn.aspx" timeout="30">
<credentials passwordFormat="Clear">
<user name="SomeUser" password="SomePassword"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
The following section was added to secure the private parts of the
site...
<location path="Portal">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
As you can clearly see, I have indicated a [timeout="30"] value in the
forms tag. I have also done several builds/compiles, but the
authentication cookies never expire. What in the world is going on
here?
for all clients have quit expiring. This results in users being able
to
access the site from day to day without having to log in, even if
their
browers are closed and then reopened hours apart or even if their
machines
are rebooted.
This behavior did not occur in my application at first. The problem
only began after I modified the web.config file from not having a
timeout value at all (which should have used the default of 30mins?)
to a custom value of timeout="10". Anyways that wouldn't work right
for some reason so I took that out and went back to no entry for the
timeout value. That is when the problem started happening. Now, even
though I have manually added the timeout value back in and set it to
30, the cookies still never expire! I have posted a snippet of the
web.config file below as it is now...
<authentication mode="Forms">
<forms loginUrl="LogIn.aspx" timeout="30">
<credentials passwordFormat="Clear">
<user name="SomeUser" password="SomePassword"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
The following section was added to secure the private parts of the
site...
<location path="Portal">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
As you can clearly see, I have indicated a [timeout="30"] value in the
forms tag. I have also done several builds/compiles, but the
authentication cookies never expire. What in the world is going on
here?