Stumped on FormsAuth Cookie Timing Out

Discussion in 'ASP .Net Security' started by George Durzi, Sep 19, 2003.

  1. George Durzi

    George Durzi Guest

    hi all, I am totally stumped, and I need your help.
    My authentication cookie (using FormsAuth against Active Directory) is
    expiring way too often (like less than 20 minutes). I have it set to expire
    in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
    application during that time.

    Here's all the code which deals with any authentication. Any feedback would
    be GREATLY appreciated.

    in web.config
    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
    />
    </authentication>

    User Login Function (References LDAPAuthentication class, unnecessary for
    this example)

    #region LoginUser
    private void LoginUser()
    {
    // Retrieve LDAP Connect String and Domain Name
    string sADPath =
    ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
    string sDomain =
    ConfigurationSettings.AppSettings["DomainName"].ToString();

    // Instance of LdapAuthentication class
    LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

    try
    {
    if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
    txtPassword.Value.Trim()))
    {
    // Retrieve a list of AD Groups the User is a Member of
    string sGroups = oLdapAuth.GetGroups();

    // Create the User's FormsAuthenticationTicket
    FormsAuthenticationTicket oAuthTicket = new
    FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
    DateTime.Now.AddHours(8), true, sGroups);
    // Encrypt the FormsAuthenticationTicket
    string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

    // Create the auth cookie for the User
    HttpCookie oCookie = new
    HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
    oCookie.Expires = DateTime.Now.AddHours(8);

    // Add the cookie to the collection
    Response.Cookies.Add(oCookie);

    // Redirect the User

    Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(
    ), false));
    }
    else
    {
    divLoginError.Visible = true;
    lblLogin.Text = "* Sorry, you entered incorrect login credentials,
    please try again. *";
    }
    }
    catch (Exception ex)
    {
    throw (ex);
    }
    }
    #endregion

    Then in my Application_AuthenticateRequest

    #region Application_AuthenticateRequest
    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
    // Retrieve FormsAuthentication Cookie Name
    string sCookieName = FormsAuthentication.FormsCookieName;
    // Retrieve Authentication Cookie
    HttpCookie oCookie = Context.Request.Cookies[sCookieName];

    // If cookie doesn't exist, exit function
    if (null == oCookie) return;

    // Create FormsAuthenticationTicket object
    FormsAuthenticationTicket oAuthTicket = null;

    try
    {
    // Retrieve FormsAuthenticationtTicket from encrypted cookie
    oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
    // Renew the ticket if it's expired
    if (oAuthTicket.Expired) oAuthTicket =
    FormsAuthentication.RenewTicketIfOld(oAuthTicket);
    }
    catch (Exception) { return; }

    // If FormsAuthenticationtTicket doesn't exist, exit function
    if (null == oAuthTicket) return;

    // Retrieve array of Group Names from FormsAuthenticationtTicket
    string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

    // Create a GenericIdentity Object
    GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
    "LDAPAuthentication");
    // Create a GenericPrincipal Object from the GenericIdentity and the
    Groups Array
    GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
    sGroupsArray);

    // Assign the current HTTP instance of the application to the
    GenericPrincipal object
    Context.User = oPrincipal;

    }
     
    George Durzi, Sep 19, 2003
    #1
    1. Advertising

  2. George Durzi

    George Durzi Guest

    Does anyone know if there's another timeout setting that's maybe in IIS?

    I've set it in web.config, machine.config, and in my code when creating my
    cookie

    "George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
    news:...
    > hi all, I am totally stumped, and I need your help.
    > My authentication cookie (using FormsAuth against Active Directory) is
    > expiring way too often (like less than 20 minutes). I have it set to

    expire
    > in 8 hours. I'm not deploying anything to the site, so I'm not resetting

    the
    > application during that time.
    >
    > Here's all the code which deals with any authentication. Any feedback

    would
    > be GREATLY appreciated.
    >
    > in web.config
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
    > />
    > </authentication>
    >
    > User Login Function (References LDAPAuthentication class, unnecessary for
    > this example)
    >
    > #region LoginUser
    > private void LoginUser()
    > {
    > // Retrieve LDAP Connect String and Domain Name
    > string sADPath =
    > ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
    > string sDomain =
    > ConfigurationSettings.AppSettings["DomainName"].ToString();
    >
    > // Instance of LdapAuthentication class
    > LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
    >
    > try
    > {
    > if (true == oLdapAuth.IsAuthenticated(sDomain,

    txtUserName.Value.Trim(),
    > txtPassword.Value.Trim()))
    > {
    > // Retrieve a list of AD Groups the User is a Member of
    > string sGroups = oLdapAuth.GetGroups();
    >
    > // Create the User's FormsAuthenticationTicket
    > FormsAuthenticationTicket oAuthTicket = new
    > FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
    > DateTime.Now.AddHours(8), true, sGroups);
    > // Encrypt the FormsAuthenticationTicket
    > string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
    >
    > // Create the auth cookie for the User
    > HttpCookie oCookie = new
    > HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
    > oCookie.Expires = DateTime.Now.AddHours(8);
    >
    > // Add the cookie to the collection
    > Response.Cookies.Add(oCookie);
    >
    > // Redirect the User
    >
    >

    Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(
    > ), false));
    > }
    > else
    > {
    > divLoginError.Visible = true;
    > lblLogin.Text = "* Sorry, you entered incorrect login credentials,
    > please try again. *";
    > }
    > }
    > catch (Exception ex)
    > {
    > throw (ex);
    > }
    > }
    > #endregion
    >
    > Then in my Application_AuthenticateRequest
    >
    > #region Application_AuthenticateRequest
    > protected void Application_AuthenticateRequest(Object sender, EventArgs

    e)
    > {
    > // Retrieve FormsAuthentication Cookie Name
    > string sCookieName = FormsAuthentication.FormsCookieName;
    > // Retrieve Authentication Cookie
    > HttpCookie oCookie = Context.Request.Cookies[sCookieName];
    >
    > // If cookie doesn't exist, exit function
    > if (null == oCookie) return;
    >
    > // Create FormsAuthenticationTicket object
    > FormsAuthenticationTicket oAuthTicket = null;
    >
    > try
    > {
    > // Retrieve FormsAuthenticationtTicket from encrypted cookie
    > oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
    > // Renew the ticket if it's expired
    > if (oAuthTicket.Expired) oAuthTicket =
    > FormsAuthentication.RenewTicketIfOld(oAuthTicket);
    > }
    > catch (Exception) { return; }
    >
    > // If FormsAuthenticationtTicket doesn't exist, exit function
    > if (null == oAuthTicket) return;
    >
    > // Retrieve array of Group Names from FormsAuthenticationtTicket
    > string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
    >
    > // Create a GenericIdentity Object
    > GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
    > "LDAPAuthentication");
    > // Create a GenericPrincipal Object from the GenericIdentity and the
    > Groups Array
    > GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
    > sGroupsArray);
    >
    > // Assign the current HTTP instance of the application to the
    > GenericPrincipal object
    > Context.User = oPrincipal;
    >
    > }
    >
    >
     
    George Durzi, Sep 23, 2003
    #2
    1. Advertising

  3. George Durzi

    George Durzi Guest

    I thought I'd share the solution.

    my colleague pointed out to me that there is a timeout attribute for
    sessions that's set in the web.config. It's overriding everything else. I
    had to scroll right to see it, that's why I was missing it!

    "George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
    news:%23o7l$...
    > Does anyone know if there's another timeout setting that's maybe in IIS?
    >
    > I've set it in web.config, machine.config, and in my code when creating my
    > cookie
    >
    > "George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
    > news:...
    > > hi all, I am totally stumped, and I need your help.
    > > My authentication cookie (using FormsAuth against Active Directory) is
    > > expiring way too often (like less than 20 minutes). I have it set to

    > expire
    > > in 8 hours. I'm not deploying anything to the site, so I'm not resetting

    > the
    > > application during that time.
    > >
    > > Here's all the code which deals with any authentication. Any feedback

    > would
    > > be GREATLY appreciated.
    > >
    > > in web.config
    > > <authentication mode="Forms">
    > > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480"

    path="/"
    > > />
    > > </authentication>
    > >
    > > User Login Function (References LDAPAuthentication class, unnecessary

    for
    > > this example)
    > >
    > > #region LoginUser
    > > private void LoginUser()
    > > {
    > > // Retrieve LDAP Connect String and Domain Name
    > > string sADPath =
    > > ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
    > > string sDomain =
    > > ConfigurationSettings.AppSettings["DomainName"].ToString();
    > >
    > > // Instance of LdapAuthentication class
    > > LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
    > >
    > > try
    > > {
    > > if (true == oLdapAuth.IsAuthenticated(sDomain,

    > txtUserName.Value.Trim(),
    > > txtPassword.Value.Trim()))
    > > {
    > > // Retrieve a list of AD Groups the User is a Member of
    > > string sGroups = oLdapAuth.GetGroups();
    > >
    > > // Create the User's FormsAuthenticationTicket
    > > FormsAuthenticationTicket oAuthTicket = new
    > > FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
    > > DateTime.Now.AddHours(8), true, sGroups);
    > > // Encrypt the FormsAuthenticationTicket
    > > string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
    > >
    > > // Create the auth cookie for the User
    > > HttpCookie oCookie = new
    > > HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
    > > oCookie.Expires = DateTime.Now.AddHours(8);
    > >
    > > // Add the cookie to the collection
    > > Response.Cookies.Add(oCookie);
    > >
    > > // Redirect the User
    > >
    > >

    >

    Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(
    > > ), false));
    > > }
    > > else
    > > {
    > > divLoginError.Visible = true;
    > > lblLogin.Text = "* Sorry, you entered incorrect login credentials,
    > > please try again. *";
    > > }
    > > }
    > > catch (Exception ex)
    > > {
    > > throw (ex);
    > > }
    > > }
    > > #endregion
    > >
    > > Then in my Application_AuthenticateRequest
    > >
    > > #region Application_AuthenticateRequest
    > > protected void Application_AuthenticateRequest(Object sender,

    EventArgs
    > e)
    > > {
    > > // Retrieve FormsAuthentication Cookie Name
    > > string sCookieName = FormsAuthentication.FormsCookieName;
    > > // Retrieve Authentication Cookie
    > > HttpCookie oCookie = Context.Request.Cookies[sCookieName];
    > >
    > > // If cookie doesn't exist, exit function
    > > if (null == oCookie) return;
    > >
    > > // Create FormsAuthenticationTicket object
    > > FormsAuthenticationTicket oAuthTicket = null;
    > >
    > > try
    > > {
    > > // Retrieve FormsAuthenticationtTicket from encrypted cookie
    > > oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
    > > // Renew the ticket if it's expired
    > > if (oAuthTicket.Expired) oAuthTicket =
    > > FormsAuthentication.RenewTicketIfOld(oAuthTicket);
    > > }
    > > catch (Exception) { return; }
    > >
    > > // If FormsAuthenticationtTicket doesn't exist, exit function
    > > if (null == oAuthTicket) return;
    > >
    > > // Retrieve array of Group Names from FormsAuthenticationtTicket
    > > string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
    > >
    > > // Create a GenericIdentity Object
    > > GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
    > > "LDAPAuthentication");
    > > // Create a GenericPrincipal Object from the GenericIdentity and the
    > > Groups Array
    > > GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
    > > sGroupsArray);
    > >
    > > // Assign the current HTTP instance of the application to the
    > > GenericPrincipal object
    > > Context.User = oPrincipal;
    > >
    > > }
    > >
    > >

    >
    >
     
    George Durzi, Sep 25, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QWxleCBNYWdoZW4=?=

    Two Different FormsAuth Logins for Same Application

    =?Utf-8?B?QWxleCBNYWdoZW4=?=, Sep 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    379
    Walter Wang [MSFT]
    Sep 11, 2006
  2. Jeff

    FormsAuth and Sessions Troubles...

    Jeff, Aug 20, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    123
  3. George Durzi

    FormsAuth Ticket Keeps Expiring

    George Durzi, Sep 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    144
    George Durzi
    Sep 18, 2003
  4. Brad
    Replies:
    3
    Views:
    187
    Jacob Yang [MSFT]
    Sep 26, 2003
  5. .NET Follower
    Replies:
    0
    Views:
    139
    .NET Follower
    Feb 9, 2004
Loading...

Share This Page