problem with slidingExpiration

Discussion in 'ASP .Net Security' started by Alessandro Zucchi, Mar 4, 2005.

  1. Hi all,
    I'm trying to use Forms authentication with slidingExpiration option set to
    true since I want permit users to stay logged in when they use the web
    application. Only idle timeout must logged out the users.

    ***********************************************************
    Follow the code:

    string CF="ZCCLSN70R21C816A";
    int expiration=2;
    DateTime dt= DateTime.Now;
    DateTime dte=dt.AddMinutes(expiration);
    FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    expiration);

    //cripto l'authentication ticket
    string cookiestr = FormsAuthentication.Encrypt(tkt);
    //creo il cookie
    HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    cookiestr);
    //aggiungo il cookie
    //ck.Expires=tkt.Expiration;
    Response.Cookies.Set(ck);

    ***********************************************
    Follow Web.config
    <!--Pagina di login-->
    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="miocook" protection="All" path="./"
    timeout="2" slidingExpiration="true" />
    </authentication>

    <authorization>
    <deny users ="?" />
    <allow users = "*" />
    </authorization>

    <sessionState
    mode="StateServer"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="30"
    />
    **********************************************************
    The problem is that after 2 minutes, also if I use the application, the
    cookie expire.
    It look to me that the flag slidingExpiration has no effect.

    Anyone can help me ?
    By
    Alessandro Zucchi, Mar 4, 2005
    #1
    1. Advertising

  2. I think you should use the typical "RedirectFromLoginPage()" so you allow
    the Forms Auth internal data to initialize appropriately.
    For your scenario, this would be something like the sample below:

    RedirectFromLoginPage(CF, false)

    This may replace all your ticket/cookie stuff and will actually use your
    config settings as well.

    --
    Hernan de Lahitte
    http://weblogs.asp.net/hernandl
    http://www.lagash.com/english/index.html


    "Alessandro Zucchi" <Alessandro > wrote in
    message news:...
    > Hi all,
    > I'm trying to use Forms authentication with slidingExpiration option set
    > to
    > true since I want permit users to stay logged in when they use the web
    > application. Only idle timeout must logged out the users.
    >
    > ***********************************************************
    > Follow the code:
    >
    > string CF="ZCCLSN70R21C816A";
    > int expiration=2;
    > DateTime dt= DateTime.Now;
    > DateTime dte=dt.AddMinutes(expiration);
    > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    > expiration);
    >
    > //cripto l'authentication ticket
    > string cookiestr = FormsAuthentication.Encrypt(tkt);
    > //creo il cookie
    > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    > cookiestr);
    > //aggiungo il cookie
    > //ck.Expires=tkt.Expiration;
    > Response.Cookies.Set(ck);
    >
    > ***********************************************
    > Follow Web.config
    > <!--Pagina di login-->
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" name="miocook" protection="All" path="./"
    > timeout="2" slidingExpiration="true" />
    > </authentication>
    >
    > <authorization>
    > <deny users ="?" />
    > <allow users = "*" />
    > </authorization>
    >
    > <sessionState
    > mode="StateServer"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data
    > source=127.0.0.1;Trusted_Connection=yes"
    > cookieless="false"
    > timeout="30"
    > />
    > **********************************************************
    > The problem is that after 2 minutes, also if I use the application, the
    > cookie expire.
    > It look to me that the flag slidingExpiration has no effect.
    >
    > Anyone can help me ?
    > By
    >
    Hernan de Lahitte, Mar 7, 2005
    #2
    1. Advertising

  3. Hi Hernan,

    I tried your solution , but doesn't run. Follow the complete code.
    ********************************************************
    string CF="ZCCLSN70R21C816A";
    FormsAuthentication.Initialize();
    Response.Cookies.Clear();
    //Creo il ticket
    int expiration=2;
    DateTime dt= DateTime.Now;
    DateTime dte=dt.AddMinutes(expiration);
    FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    expiration);

    //cripto l'authentication ticket
    string cookiestr = FormsAuthentication.Encrypt(tkt);

    //creo il cookie
    HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    cookiestr);
    //aggiungo il cookie
    //ck.Expires=tkt.Expiration; //NON SERVE NEI "NON PERSINSTANCE COOKIES"
    Response.Cookies.Set(ck);

    //Redirec on protected page
    FormsAuthentication.RedirectFromLoginPage(CF, false); // Target on protected
    page.
    //Response.Redirect("./path/relpath.aspx",true);
    **********************************************************
    After 2 minutes the user is logged out also if I use the application
    (multiple refresh on protected page).

    By




    "Hernan de Lahitte" wrote:

    > I think you should use the typical "RedirectFromLoginPage()" so you allow
    > the Forms Auth internal data to initialize appropriately.
    > For your scenario, this would be something like the sample below:
    >
    > RedirectFromLoginPage(CF, false)
    >
    > This may replace all your ticket/cookie stuff and will actually use your
    > config settings as well.
    >
    > --
    > Hernan de Lahitte
    > http://weblogs.asp.net/hernandl
    > http://www.lagash.com/english/index.html
    >
    >
    > "Alessandro Zucchi" <Alessandro > wrote in
    > message news:...
    > > Hi all,
    > > I'm trying to use Forms authentication with slidingExpiration option set
    > > to
    > > true since I want permit users to stay logged in when they use the web
    > > application. Only idle timeout must logged out the users.
    > >
    > > ***********************************************************
    > > Follow the code:
    > >
    > > string CF="ZCCLSN70R21C816A";
    > > int expiration=2;
    > > DateTime dt= DateTime.Now;
    > > DateTime dte=dt.AddMinutes(expiration);
    > > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    > > expiration);
    > >
    > > //cripto l'authentication ticket
    > > string cookiestr = FormsAuthentication.Encrypt(tkt);
    > > //creo il cookie
    > > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    > > cookiestr);
    > > //aggiungo il cookie
    > > //ck.Expires=tkt.Expiration;
    > > Response.Cookies.Set(ck);
    > >
    > > ***********************************************
    > > Follow Web.config
    > > <!--Pagina di login-->
    > > <authentication mode="Forms">
    > > <forms loginUrl="login.aspx" name="miocook" protection="All" path="./"
    > > timeout="2" slidingExpiration="true" />
    > > </authentication>
    > >
    > > <authorization>
    > > <deny users ="?" />
    > > <allow users = "*" />
    > > </authorization>
    > >
    > > <sessionState
    > > mode="StateServer"
    > > stateConnectionString="tcpip=127.0.0.1:42424"
    > > sqlConnectionString="data
    > > source=127.0.0.1;Trusted_Connection=yes"
    > > cookieless="false"
    > > timeout="30"
    > > />
    > > **********************************************************
    > > The problem is that after 2 minutes, also if I use the application, the
    > > cookie expire.
    > > It look to me that the flag slidingExpiration has no effect.
    > >
    > > Anyone can help me ?
    > > By
    > >

    >
    >
    >
    Alessandro Zucchi, Mar 7, 2005
    #3
  4. Check out the path attribute in your config file. It should be "/" (without
    dot ".")

    On the other hand, if you are using .NET Framework v.1.1 SP2, notice that
    the criteria to renew the ticket when slidingExpiration is turned on is
    something like this:

    If elapsedTime <= TTL / 2 Then renew Otherwise use the current ticket.

    In other words, if the elapsed time since ticket creation is greater then
    half the ticket timeout (in your scenario would be 1 minute) the the ticket
    won't be renewed. Otherwise a new ticket will be granted with a fresh
    timeout (2 mins in your case).
    Summarizing, if you hit your page after 1 minute, it won't extend your Forms
    session lifetime regardless your slidingExpiration setting.


    -
    Hernan de Lahitte
    http://weblogs.asp.net/hernandl
    http://www.lagash.com/english/index.html


    "Alessandro Zucchi" <> wrote in
    message news:...
    > Hi Hernan,
    >
    > I tried your solution , but doesn't run. Follow the complete code.
    > ********************************************************
    > string CF="ZCCLSN70R21C816A";
    > FormsAuthentication.Initialize();
    > Response.Cookies.Clear();
    > //Creo il ticket
    > int expiration=2;
    > DateTime dt= DateTime.Now;
    > DateTime dte=dt.AddMinutes(expiration);
    > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    > expiration);
    >
    > //cripto l'authentication ticket
    > string cookiestr = FormsAuthentication.Encrypt(tkt);
    >
    > //creo il cookie
    > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    > cookiestr);
    > //aggiungo il cookie
    > //ck.Expires=tkt.Expiration; //NON SERVE NEI "NON PERSINSTANCE COOKIES"
    > Response.Cookies.Set(ck);
    >
    > //Redirec on protected page
    > FormsAuthentication.RedirectFromLoginPage(CF, false); // Target on
    > protected
    > page.
    > //Response.Redirect("./path/relpath.aspx",true);
    > **********************************************************
    > After 2 minutes the user is logged out also if I use the application
    > (multiple refresh on protected page).
    >
    > By
    >
    >
    >
    >
    > "Hernan de Lahitte" wrote:
    >
    >> I think you should use the typical "RedirectFromLoginPage()" so you
    >> allow
    >> the Forms Auth internal data to initialize appropriately.
    >> For your scenario, this would be something like the sample below:
    >>
    >> RedirectFromLoginPage(CF, false)
    >>
    >> This may replace all your ticket/cookie stuff and will actually use your
    >> config settings as well.
    >>
    >> --
    >> Hernan de Lahitte
    >> http://weblogs.asp.net/hernandl
    >> http://www.lagash.com/english/index.html
    >>
    >>
    >> "Alessandro Zucchi" <Alessandro > wrote
    >> in
    >> message news:...
    >> > Hi all,
    >> > I'm trying to use Forms authentication with slidingExpiration option
    >> > set
    >> > to
    >> > true since I want permit users to stay logged in when they use the web
    >> > application. Only idle timeout must logged out the users.
    >> >
    >> > ***********************************************************
    >> > Follow the code:
    >> >
    >> > string CF="ZCCLSN70R21C816A";
    >> > int expiration=2;
    >> > DateTime dt= DateTime.Now;
    >> > DateTime dte=dt.AddMinutes(expiration);
    >> > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    >> > expiration);
    >> >
    >> > //cripto l'authentication ticket
    >> > string cookiestr = FormsAuthentication.Encrypt(tkt);
    >> > //creo il cookie
    >> > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    >> > cookiestr);
    >> > //aggiungo il cookie
    >> > //ck.Expires=tkt.Expiration;
    >> > Response.Cookies.Set(ck);
    >> >
    >> > ***********************************************
    >> > Follow Web.config
    >> > <!--Pagina di login-->
    >> > <authentication mode="Forms">
    >> > <forms loginUrl="login.aspx" name="miocook" protection="All" path="./"
    >> > timeout="2" slidingExpiration="true" />
    >> > </authentication>
    >> >
    >> > <authorization>
    >> > <deny users ="?" />
    >> > <allow users = "*" />
    >> > </authorization>
    >> >
    >> > <sessionState
    >> > mode="StateServer"
    >> > stateConnectionString="tcpip=127.0.0.1:42424"
    >> > sqlConnectionString="data
    >> > source=127.0.0.1;Trusted_Connection=yes"
    >> > cookieless="false"
    >> > timeout="30"
    >> > />
    >> > **********************************************************
    >> > The problem is that after 2 minutes, also if I use the application, the
    >> > cookie expire.
    >> > It look to me that the flag slidingExpiration has no effect.
    >> >
    >> > Anyone can help me ?
    >> > By
    >> >

    >>
    >>
    >>
    Hernan de Lahitte, Mar 8, 2005
    #4
  5. Thank you.
    The problem was "./" instead of "/".
    Now all run.
    Bye


    "Hernan de Lahitte" wrote:

    > Check out the path attribute in your config file. It should be "/" (without
    > dot ".")
    >
    > On the other hand, if you are using .NET Framework v.1.1 SP2, notice that
    > the criteria to renew the ticket when slidingExpiration is turned on is
    > something like this:
    >
    > If elapsedTime <= TTL / 2 Then renew Otherwise use the current ticket.
    >
    > In other words, if the elapsed time since ticket creation is greater then
    > half the ticket timeout (in your scenario would be 1 minute) the the ticket
    > won't be renewed. Otherwise a new ticket will be granted with a fresh
    > timeout (2 mins in your case).
    > Summarizing, if you hit your page after 1 minute, it won't extend your Forms
    > session lifetime regardless your slidingExpiration setting.
    >
    >
    > -
    > Hernan de Lahitte
    > http://weblogs.asp.net/hernandl
    > http://www.lagash.com/english/index.html
    >
    >
    > "Alessandro Zucchi" <> wrote in
    > message news:...
    > > Hi Hernan,
    > >
    > > I tried your solution , but doesn't run. Follow the complete code.
    > > ********************************************************
    > > string CF="ZCCLSN70R21C816A";
    > > FormsAuthentication.Initialize();
    > > Response.Cookies.Clear();
    > > //Creo il ticket
    > > int expiration=2;
    > > DateTime dt= DateTime.Now;
    > > DateTime dte=dt.AddMinutes(expiration);
    > > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    > > expiration);
    > >
    > > //cripto l'authentication ticket
    > > string cookiestr = FormsAuthentication.Encrypt(tkt);
    > >
    > > //creo il cookie
    > > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    > > cookiestr);
    > > //aggiungo il cookie
    > > //ck.Expires=tkt.Expiration; //NON SERVE NEI "NON PERSINSTANCE COOKIES"
    > > Response.Cookies.Set(ck);
    > >
    > > //Redirec on protected page
    > > FormsAuthentication.RedirectFromLoginPage(CF, false); // Target on
    > > protected
    > > page.
    > > //Response.Redirect("./path/relpath.aspx",true);
    > > **********************************************************
    > > After 2 minutes the user is logged out also if I use the application
    > > (multiple refresh on protected page).
    > >
    > > By
    > >
    > >
    > >
    > >
    > > "Hernan de Lahitte" wrote:
    > >
    > >> I think you should use the typical "RedirectFromLoginPage()" so you
    > >> allow
    > >> the Forms Auth internal data to initialize appropriately.
    > >> For your scenario, this would be something like the sample below:
    > >>
    > >> RedirectFromLoginPage(CF, false)
    > >>
    > >> This may replace all your ticket/cookie stuff and will actually use your
    > >> config settings as well.
    > >>
    > >> --
    > >> Hernan de Lahitte
    > >> http://weblogs.asp.net/hernandl
    > >> http://www.lagash.com/english/index.html
    > >>
    > >>
    > >> "Alessandro Zucchi" <Alessandro > wrote
    > >> in
    > >> message news:...
    > >> > Hi all,
    > >> > I'm trying to use Forms authentication with slidingExpiration option
    > >> > set
    > >> > to
    > >> > true since I want permit users to stay logged in when they use the web
    > >> > application. Only idle timeout must logged out the users.
    > >> >
    > >> > ***********************************************************
    > >> > Follow the code:
    > >> >
    > >> > string CF="ZCCLSN70R21C816A";
    > >> > int expiration=2;
    > >> > DateTime dt= DateTime.Now;
    > >> > DateTime dte=dt.AddMinutes(expiration);
    > >> > FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(CF,false,
    > >> > expiration);
    > >> >
    > >> > //cripto l'authentication ticket
    > >> > string cookiestr = FormsAuthentication.Encrypt(tkt);
    > >> > //creo il cookie
    > >> > HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
    > >> > cookiestr);
    > >> > //aggiungo il cookie
    > >> > //ck.Expires=tkt.Expiration;
    > >> > Response.Cookies.Set(ck);
    > >> >
    > >> > ***********************************************
    > >> > Follow Web.config
    > >> > <!--Pagina di login-->
    > >> > <authentication mode="Forms">
    > >> > <forms loginUrl="login.aspx" name="miocook" protection="All" path="./"
    > >> > timeout="2" slidingExpiration="true" />
    > >> > </authentication>
    > >> >
    > >> > <authorization>
    > >> > <deny users ="?" />
    > >> > <allow users = "*" />
    > >> > </authorization>
    > >> >
    > >> > <sessionState
    > >> > mode="StateServer"
    > >> > stateConnectionString="tcpip=127.0.0.1:42424"
    > >> > sqlConnectionString="data
    > >> > source=127.0.0.1;Trusted_Connection=yes"
    > >> > cookieless="false"
    > >> > timeout="30"
    > >> > />
    > >> > **********************************************************
    > >> > The problem is that after 2 minutes, also if I use the application, the
    > >> > cookie expire.
    > >> > It look to me that the flag slidingExpiration has no effect.
    > >> >
    > >> > Anyone can help me ?
    > >> > By
    > >> >
    > >>
    > >>
    > >>

    >
    >
    >
    Alessandro Zucchi, Mar 9, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Suurkuusk
    Replies:
    0
    Views:
    3,968
    Andreas Suurkuusk
    Jul 27, 2003
  2. milop
    Replies:
    0
    Views:
    383
    milop
    Mar 24, 2008
  3. Arne

    slidingExpiration broken

    Arne, Apr 11, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    108
  4. Replies:
    0
    Views:
    193
  5. Mike

    Problem problem problem :( Need Help

    Mike, May 7, 2004, in forum: ASP General
    Replies:
    2
    Views:
    543
    Bullschmidt
    May 11, 2004
Loading...

Share This Page