Forms Authentication Cookies Never Expire

Discussion in 'ASP .Net' started by Joey Powell, Dec 4, 2003.

  1. Joey Powell

    Joey Powell Guest

    This message was originally posted to the aspnet.security newsgroup,
    but no one there has ever heard of this before. That is why I am
    posting this message here, so that more people will see it...

    On my asp.net application, suddenly the forms authentication cookies
    for clients have quit expiring. This results in users being able to
    access the site from day to day without having to log in, even if
    their
    browers are closed and reopened hours apart or even if their machines
    are rebooted. This behavior did not occur in my application at first.
    The problem only began after I modified the web.config file from not
    having a timeout value at all (which should have used the default
    value of
    30mins?) to a custom value of timeout="10". Anyways that wouldn't work
    right for some reason, so I took that out and went back to no entry
    for
    the timeout value. Now the cookies never expire! What in the world is
    going on here?

    ---
    UPDATE

    I have also manually logged out using .SignOut() several times, but
    the cookies again do not expire/time-out once the users log back in. I
    have also cleared cookies...same results. I have verified that
    timeout="30" is present in the authentication tag of web.config just
    after the loginUrl value, but still the cookies are not expiring on
    ANY client machines...this is crazy!!!

    This has been going on now for a couple of weeks and is getting
    extremely irritating. Does anyone have a clue about what I can do to
    make it work again?
     
    Joey Powell, Dec 4, 2003
    #1
    1. Advertising

  2. Joey Powell

    evolve Guest

    2 differnent things

    timeout refers to the 'session' timeout
    a session object is created on a per user basis when the user accesses the
    website
    the session on start in global.asax is called before anything
    the timeout is reset each time they call a page(can be set in iis console)
    session object can be used to hold a bunch of stuff that you define
    e.g. session["jobtitle"] = admin (inC#)
    when the session eventually timesout
    all the session[blah] stuff is lost


    the forms admin cookie is entirely different
    depending upon how you have set up the authentication in web.config
    the user will/won't require a formauth cookie

    you can set the expiry on the cookie when you issue the cookie
    for instance

    set the web config to
    deny='?'

    this will bounce all users to the http://website/virdir/login.aspx

    page where you can ask them to log in
    if they enter the correct password
    you issue them with a cookie
    can put a checkbox 'remember me' or something
    which adds an expiration date of 30 days or something
    next time they go in
    they have the formauth cookie so they won't need to login

    hope this helps


    "Joey Powell" <> wrote in message
    news:...
    > This message was originally posted to the aspnet.security newsgroup,
    > but no one there has ever heard of this before. That is why I am
    > posting this message here, so that more people will see it...
    >
    > On my asp.net application, suddenly the forms authentication cookies
    > for clients have quit expiring. This results in users being able to
    > access the site from day to day without having to log in, even if
    > their
    > browers are closed and reopened hours apart or even if their machines
    > are rebooted. This behavior did not occur in my application at first.
    > The problem only began after I modified the web.config file from not
    > having a timeout value at all (which should have used the default
    > value of
    > 30mins?) to a custom value of timeout="10". Anyways that wouldn't work
    > right for some reason, so I took that out and went back to no entry
    > for
    > the timeout value. Now the cookies never expire! What in the world is
    > going on here?
    >
    > ---
    > UPDATE
    >
    > I have also manually logged out using .SignOut() several times, but
    > the cookies again do not expire/time-out once the users log back in. I
    > have also cleared cookies...same results. I have verified that
    > timeout="30" is present in the authentication tag of web.config just
    > after the loginUrl value, but still the cookies are not expiring on
    > ANY client machines...this is crazy!!!
    >
    > This has been going on now for a couple of weeks and is getting
    > extremely irritating. Does anyone have a clue about what I can do to
    > make it work again?
     
    evolve, Dec 4, 2003
    #2
    1. Advertising

  3. Hi Joey,

    One possibility is that your logon page is being cached somewhere. This is
    described in an article.
    263730 Site Server Users May Be Authenticated Under the Wrong Account
    http://kb/article.asp?id=Q263730

    Try adding this to your logon page.
    Response.Cache.SetCacheability(HttpCacheability.NoCache)

    ---
    The next step is to try a sample application to see if it has the same
    problem. Please create a new project according to this article:
    http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsimplecookieauthen
    tication.asp

    Does it have the same problem?

    Thank you, Mike
    Microsoft, ASP.NET Support Professional

    Microsoft highly recommends to all of our customers that they visit the
    http://www.microsoft.com/protect site and perform the three straightforward
    steps listed to improve your computer’s security.

    This posting is provided "AS IS", with no warranties, and confers no rights.


    --------------------
    > From: (Joey Powell)
    > Newsgroups: microsoft.public.dotnet.framework.aspnet
    > Subject: Forms Authentication Cookies Never Expire
    > Date: 3 Dec 2003 20:27:47 -0800
    > Organization: http://groups.google.com
    > Lines: 32
    > Message-ID: <>
    > NNTP-Posting-Host: 69.29.57.101
    > Content-Type: text/plain; charset=ISO-8859-1
    > Content-Transfer-Encoding: 8bit
    > X-Trace: posting.google.com 1070512067 21189 127.0.0.1 (4 Dec 2003

    04:27:47 GMT)
    > X-Complaints-To:
    > NNTP-Posting-Date: Thu, 4 Dec 2003 04:27:47 +0000 (UTC)
    > Path:

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
    phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!ne
    ws.maxwell.syr.edu!postnews1.google.com!not-for-mail
    > Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:194303
    > X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    > This message was originally posted to the aspnet.security newsgroup,
    > but no one there has ever heard of this before. That is why I am
    > posting this message here, so that more people will see it...
    >
    > On my asp.net application, suddenly the forms authentication cookies
    > for clients have quit expiring. This results in users being able to
    > access the site from day to day without having to log in, even if
    > their
    > browers are closed and reopened hours apart or even if their machines
    > are rebooted. This behavior did not occur in my application at first.
    > The problem only began after I modified the web.config file from not
    > having a timeout value at all (which should have used the default
    > value of
    > 30mins?) to a custom value of timeout="10". Anyways that wouldn't work
    > right for some reason, so I took that out and went back to no entry
    > for
    > the timeout value. Now the cookies never expire! What in the world is
    > going on here?
    >
    > ---
    > UPDATE
    >
    > I have also manually logged out using .SignOut() several times, but
    > the cookies again do not expire/time-out once the users log back in. I
    > have also cleared cookies...same results. I have verified that
    > timeout="30" is present in the authentication tag of web.config just
    > after the loginUrl value, but still the cookies are not expiring on
    > ANY client machines...this is crazy!!!
    >
    > This has been going on now for a couple of weeks and is getting
    > extremely irritating. Does anyone have a clue about what I can do to
    > make it work again?
    >
     
    Mike Moore [MSFT], Dec 4, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joey Powell

    Forms Authentication Cookie Does Not Expire

    Joey Powell, Dec 2, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    500
  2. =?Utf-8?B?SXZheWxvIEd1YmVyb3Y=?=

    Session control with Forms authentication and cookie expire time?

    =?Utf-8?B?SXZheWxvIEd1YmVyb3Y=?=, Sep 5, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    630
    chanmmn
    Sep 5, 2004
  3. Frank Rizzo

    How to set output cache to never expire?

    Frank Rizzo, Feb 20, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    2,321
    Joerg Jooss
    Feb 20, 2006
  4. Thauhtopa
    Replies:
    4
    Views:
    290
    Thauhtopa
    Dec 7, 2004
  5. Tongass Park Neighborhood Association, Juneau Alas

    Cookies expire immediately, not when set to expire

    Tongass Park Neighborhood Association, Juneau Alas, Oct 1, 2009, in forum: ASP General
    Replies:
    2
    Views:
    1,204
    SQLDude
    Nov 24, 2009
Loading...

Share This Page