Forms authentication cookies not expiring...

Discussion in 'ASP .Net' started by pv_kannan@yahoo.com, Aug 29, 2005.

  1. Guest

    I recently found out that my authentication cookies are not expiring
    even though I have set the persist property to false. As a result,
    users are able to access the secure websites with indifferent results.

    Any pointers/suggestions would be very appreciated.

    Things were running as usual till until recently.

    Here are the relevant pieces of code
    ==========================================

    Web.config
    ----------------
    <authentication mode="Forms">
    <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
    path="/" />
    </authentication>

    <authorization>
    <allow users="*" /> <!-- Allow all users -->
    </authorization>

    <location path="TellOthers.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    <allow roles="AuthenticatedActiveMember" />
    </authorization>
    </system.web>
    </location>

    Global.ascx.cs
    ===================
    Application_OnAuthenticate
    --------------------------------
    string cookieName = FormsAuthentication.FormsCookieName;
    HttpCookie authCookie = Context.Request.Cookies[cookieName];

    SignIn.aspx.cs
    ===============
    //If login is successful
    user.WriteAuthCookie();
    Response.Redirect(FormsAuthentication.GetRedirectUrl(user.Email,
    false));

    WriteAuthCookie
    ====================
    /// <summary>
    /// Send an encrypted Authorization cookie
    /// to the user for use when authentication/authorizing
    /// against web pages.
    /// </summary>
    public void WriteAuthCookie()
    {
    //Create the Auth Ticket
    FormsAuthenticationTicket ticket = new
    FormsAuthenticationTicket(1, //version
    Email, //user name
    DateTime.Now, //creation
    DateTime.Now.AddMinutes(60), //expriation
    false, //persistent
    GuestStatus.ToString()); //user data
    //Encrypt the Auth Ticket
    string encryptedTicket = FormsAuthentication.Encrypt(ticket);
    //Create a cookie and add the encrypted ticket to the cookie as data
    HttpCookie cookie = new
    HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

    //Add the Auth Cookie to the outgoing cookies collection
    HttpContext context = HttpContext.Current;
    context.Response.Cookies.Add(cookie);
    }
    , Aug 29, 2005
    #1
    1. Advertising

  2. Check if you are properly signing out the user. On the logout
    page/functionality use the following two lines:

    Session.Abandon();
    FormsAuthentication.SignOut();

    Hope this helps.

    All the Best,
    Ram Adhikari.

    "" wrote:

    > I recently found out that my authentication cookies are not expiring
    > even though I have set the persist property to false. As a result,
    > users are able to access the secure websites with indifferent results.
    >
    > Any pointers/suggestions would be very appreciated.
    >
    > Things were running as usual till until recently.
    >
    > Here are the relevant pieces of code
    > ==========================================
    >
    > Web.config
    > ----------------
    > <authentication mode="Forms">
    > <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
    > path="/" />
    > </authentication>
    >
    > <authorization>
    > <allow users="*" /> <!-- Allow all users -->
    > </authorization>
    >
    > <location path="TellOthers.aspx">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > <allow roles="AuthenticatedActiveMember" />
    > </authorization>
    > </system.web>
    > </location>
    >
    > Global.ascx.cs
    > ===================
    > Application_OnAuthenticate
    > --------------------------------
    > string cookieName = FormsAuthentication.FormsCookieName;
    > HttpCookie authCookie = Context.Request.Cookies[cookieName];
    >
    > SignIn.aspx.cs
    > ===============
    > //If login is successful
    > user.WriteAuthCookie();
    > Response.Redirect(FormsAuthentication.GetRedirectUrl(user.Email,
    > false));
    >
    > WriteAuthCookie
    > ====================
    > /// <summary>
    > /// Send an encrypted Authorization cookie
    > /// to the user for use when authentication/authorizing
    > /// against web pages.
    > /// </summary>
    > public void WriteAuthCookie()
    > {
    > //Create the Auth Ticket
    > FormsAuthenticationTicket ticket = new
    > FormsAuthenticationTicket(1, //version
    > Email, //user name
    > DateTime.Now, //creation
    > DateTime.Now.AddMinutes(60), //expriation
    > false, //persistent
    > GuestStatus.ToString()); //user data
    > //Encrypt the Auth Ticket
    > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
    > //Create a cookie and add the encrypted ticket to the cookie as data
    > HttpCookie cookie = new
    > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
    >
    > //Add the Auth Cookie to the outgoing cookies collection
    > HttpContext context = HttpContext.Current;
    > context.Response.Cookies.Add(cookie);
    > }
    >
    >
    =?Utf-8?B?UmFtIEFkaGlrYXJp?=, Aug 30, 2005
    #2
    1. Advertising

  3. Guest

    Aren't the cookie supposed to expire when the browser is closed? If
    not, how do I expire those cookies when the browser window is closed?

    The users are closing and windows and reopening them and are able to
    access the secure pages without signing in...


    FYI...I do have the Abandon and SignOut in the Logoff button

    Session.Abandon();
    //Make sure the Auth Cookie is null
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    null);
    FormsAuthentication.SignOut();


    *********************************************************************
    Ram Adhikari wrote:
    > Check if you are properly signing out the user. On the logout
    > page/functionality use the following two lines:
    >
    > Session.Abandon();
    > FormsAuthentication.SignOut();
    >
    > Hope this helps.
    >
    > All the Best,
    > Ram Adhikari.
    >
    > "" wrote:
    >
    > > I recently found out that my authentication cookies are not expiring
    > > even though I have set the persist property to false. As a result,
    > > users are able to access the secure websites with indifferent results.
    > >
    > > Any pointers/suggestions would be very appreciated.
    > >
    > > Things were running as usual till until recently.
    > >
    > > Here are the relevant pieces of code
    > > ==========================================
    > >
    > > Web.config
    > > ----------------
    > > <authentication mode="Forms">
    > > <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
    > > path="/" />
    > > </authentication>
    > >
    > > <authorization>
    > > <allow users="*" /> <!-- Allow all users -->
    > > </authorization>
    > >
    > > <location path="TellOthers.aspx">
    > > <system.web>
    > > <authorization>
    > > <deny users="?" />
    > > <allow roles="AuthenticatedActiveMember" />
    > > </authorization>
    > > </system.web>
    > > </location>
    > >
    > > Global.ascx.cs
    > > ===================
    > > Application_OnAuthenticate
    > > --------------------------------
    > > string cookieName = FormsAuthentication.FormsCookieName;
    > > HttpCookie authCookie = Context.Request.Cookies[cookieName];
    > >
    > > SignIn.aspx.cs
    > > ===============
    > > //If login is successful
    > > user.WriteAuthCookie();
    > > Response.Redirect(FormsAuthentication.GetRedirectUrl(user.Email,
    > > false));
    > >
    > > WriteAuthCookie
    > > ====================
    > > /// <summary>
    > > /// Send an encrypted Authorization cookie
    > > /// to the user for use when authentication/authorizing
    > > /// against web pages.
    > > /// </summary>
    > > public void WriteAuthCookie()
    > > {
    > > //Create the Auth Ticket
    > > FormsAuthenticationTicket ticket = new
    > > FormsAuthenticationTicket(1, //version
    > > Email, //user name
    > > DateTime.Now, //creation
    > > DateTime.Now.AddMinutes(60), //expriation
    > > false, //persistent
    > > GuestStatus.ToString()); //user data
    > > //Encrypt the Auth Ticket
    > > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
    > > //Create a cookie and add the encrypted ticket to the cookie as data
    > > HttpCookie cookie = new
    > > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
    > >
    > > //Add the Auth Cookie to the outgoing cookies collection
    > > HttpContext context = HttpContext.Current;
    > > context.Response.Cookies.Add(cookie);
    > > }
    > >
    > >
    , Aug 30, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TWlrZQ==?=

    Forms Authenication Cookie Not Expiring Correctly

    =?Utf-8?B?TWlrZQ==?=, Jun 7, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    527
    =?Utf-8?B?TWlrZQ==?=
    Jun 7, 2004
  2. rh.krish
    Replies:
    0
    Views:
    740
    rh.krish
    Apr 9, 2008
  3. Replies:
    3
    Views:
    802
    Matthijs Krempel
    Apr 10, 2008
  4. tparks69

    forms based authentication - ticket not expiring

    tparks69, Jan 31, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    179
    tparks69
    Jan 31, 2005
  5. Eric
    Replies:
    2
    Views:
    498
Loading...

Share This Page