Forms Authentication Ticket Reissue

Discussion in 'ASP .Net Security' started by Stefan Leyhane, Mar 28, 2005.

  1. When using Forms Authentication with the SlidingExpiration attribute
    set to 'true', the authentication ticket is reissued sometime after
    half of the timeout value specified has elapsed.

    From the documentation:
    "To prevent compromised performance, and to avoid multiple browser
    warnings for users that have cookie warnings turned on, the cookie is
    updated when more than half the specified time has elapsed."

    How is it possible to trap the ticket reissue? I have not been able
    to find an event where I can catch it (even the Application_EndRequest
    event).

    Some more details: I'm using forms authentication with role-based
    security in a manner very close to the way it is documented many
    places such as at "http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx".
    I'm storing the user's roles in the user data of the authentication
    ticket.

    I have the added complication that I need to explicitly set the domain
    on the authentication cookie since I share it with some other
    applications running in other subdomains. For example, if my
    application is running in 'dev.xyz.com', the cookie domain gets set to
    'xyz.com'. When the authentication ticket is reissued a cookie with
    the 'dev.xyz.com' is being created instead -- causing all sorts of
    problems.

    Any help is appreciated. Thanks,

    Stefan

    --
    Stefan Leyhane
     
    Stefan Leyhane, Mar 28, 2005
    #1
    1. Advertising

  2. What path do you have configured in the path attribute in Forms
    configuration ? (the default "/" perhaps?)

    The ticket renewal will use the same path that you have configured in your
    forms config section or the ccokiepath parameter in RedirectFromLoginPage
    method:

    RedirectFromLoginPage(string userName, bool createPersistentCookie, string
    strCookiePath)

    This article (http://www.codeproject.com/aspnet/aspnetsinglesignon.asp) may
    be of help as well.

    --
    Hernan de Lahitte
    http://weblogs.aspnet/hernandl



    "Stefan Leyhane" <> wrote in message
    news:...
    > When using Forms Authentication with the SlidingExpiration attribute
    > set to 'true', the authentication ticket is reissued sometime after
    > half of the timeout value specified has elapsed.
    >
    > From the documentation:
    > "To prevent compromised performance, and to avoid multiple browser
    > warnings for users that have cookie warnings turned on, the cookie is
    > updated when more than half the specified time has elapsed."
    >
    > How is it possible to trap the ticket reissue? I have not been able
    > to find an event where I can catch it (even the Application_EndRequest
    > event).
    >
    > Some more details: I'm using forms authentication with role-based
    > security in a manner very close to the way it is documented many
    > places such as at
    > "http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx".
    > I'm storing the user's roles in the user data of the authentication
    > ticket.
    >
    > I have the added complication that I need to explicitly set the domain
    > on the authentication cookie since I share it with some other
    > applications running in other subdomains. For example, if my
    > application is running in 'dev.xyz.com', the cookie domain gets set to
    > 'xyz.com'. When the authentication ticket is reissued a cookie with
    > the 'dev.xyz.com' is being created instead -- causing all sorts of
    > problems.
    >
    > Any help is appreciated. Thanks,
    >
    > Stefan
    >
    > --
    > Stefan Leyhane
     
    Hernan de Lahitte, Mar 30, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,602
    John Saunders
    Oct 24, 2003
  2. =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=

    Forms Authentication Ticket/Cookie values

    =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?=, May 17, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    669
    Brock Allen
    May 19, 2005
  3. Mythran
    Replies:
    2
    Views:
    414
    Mythran
    Mar 8, 2007
  4. Lauchlan M
    Replies:
    0
    Views:
    239
    Lauchlan M
    Oct 1, 2003
  5. jfer
    Replies:
    3
    Views:
    572
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page