Forms Authentication Cookie Does Not Expire

J

Joey Powell

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason so I took that out and went back to no entry for
the timeout value. Now the cookies never expire! What in the world is
going on here?
 
R

Randy Charles Morin

Have you considered setting it to 30? I dont know why 10 didnt work,
but I assume it was too short.
http://samples.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx

Randy
http://www.kbcafe.com

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason so I took that out and went back to no entry for
the timeout value. Now the cookies never expire! What in the world is
going on here?
0
 
M

MSFT

Hi Joey,

Have you tried to call "FormsAuthentication.SignOut()" to force user sign
out?

For more information on form authentication, you may refer to following
article:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using Visual Basic .NET
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q308157

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
J

Joey Powell

Luke, I do not want to have to do that. I am more interested in making
it work as advertised. Is this a known bug in asp.net? If not then can
we document and fix it? If I were to use the Signout, then where would
I put it in the app? The only thing that I can think of is in the page
unload event but that would require the user to log in between every
page, and that doesn't make sense!
 
M

MSFT

Hi Joey,

I haven't found a similar like this. I think you may have the user call
Signout method on a page and log in again to see if the expire are set to
correctly. Also, you may try to delete cookies on a client to see if this
can fix the problem. For more inforamtion on form authentication and
cookies, you may refer to this article:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using Visual Basic .NET
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q308157

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top