Trying to create a secure app that never times out - very confused

P

pgorry

Hi all,

I am trying to create an new website using ASP.NET 2.0. I am using
forms authentication, and I am trying to have it so that once a user
signs in, they will never time out.

However, after logging in - and then leaving the browser (IE6) open for
a given period (I have not managed to identify this period exactly yet,
usually over half an hour anyway), any call to
HttpContext.Current.User.Identity.IsAuthenticated returns false, and my
app sends them back to the login page.

Here is what I am doing:
1. The login is handled by the asp.net login control, nothing too fancy
in that
2. The web config has the following set:
....
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" timeout="500000"
slidingExpiration="false"></forms>
</authentication>
....
<sessionState mode="Off"></sessionState>
3. Use the following code on the page.init to see if the user is
authenticated HttpContext.Current.User.Identity.IsAuthenticated

And my discoveries:
1. As I said - log in, leave the browser open for a period of time,
navigate to a new page, and the user is no longer authenticated
2. This appears to only be happening on the live server (which is
shared hosting - limited access). I have added some debugging to a
file, and when the call is made after the time lag
a) the value of HttpContext.Current.User.Identity.Name = "" (so
obviously the user is not authenticated)
b) The ".ASPXAUTH" cookie is no longer set
3. If I look at the cookie expiry (in debug on development machine) it
has an expiry of 01/01/0001, is this okay\normal?
4. Interestingly, if I set the timeout to be short, lets say 1 minute
the application behaves okay, I can navigate on the site for 1 minute -
and after that I am forced to login. So it is respecting the timeout
value - to some degree
5. If I intermittently access the site, then it never seems to timeout.
This adds to the confusion as I have set slidingExpiration="false"
6. This happens on two separate machines, so does not appear to be
machine independent

My Questions
1. Whats happening???
2. I am thinking that possibly the cookie expiration is not getting set
to the same value time as the form timeout. Is this possible?
3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists
and does get passed.
4. Am I correct in assuming I do not need to have SessionState enabled?
I have no need for it so have it disabled.

Any help on this would be appreciated. I feel like I am missing some
configuration - or maybe a complete lack of understanding of Forms
Authentication :)

Thanks.
Patrick.
 
P

pgorry

As often happens, putting something down in writing clears ones head.
After posting I realised how dumb one of my questions was.

3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists

The auth ticket is obviously stored in a session cookie. I re-ran a
test (the issue seems to only appear after one hour).

Now looking at the Request headers, the auth ticket IS passed in the
request. However, in the page_init of the master page (which is where
I do my authentication) the cookie is now null.

So somehow between the request and the first bit of code I can debug
on, I have lost the cookie.

Over to you folks!!

Kind Regards,
Patrick.


Hi all,

I am trying to create an new website using ASP.NET 2.0. I am using
forms authentication, and I am trying to have it so that once a user
signs in, they will never time out.

However, after logging in - and then leaving the browser (IE6) open for
a given period (I have not managed to identify this period exactly yet,
usually over half an hour anyway), any call to
HttpContext.Current.User.Identity.IsAuthenticated returns false, and my
app sends them back to the login page.

Here is what I am doing:
1. The login is handled by the asp.net login control, nothing too fancy
in that
2. The web config has the following set:
...
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" timeout="500000"
slidingExpiration="false"></forms>
</authentication>
...
<sessionState mode="Off"></sessionState>
3. Use the following code on the page.init to see if the user is
authenticated HttpContext.Current.User.Identity.IsAuthenticated

And my discoveries:
1. As I said - log in, leave the browser open for a period of time,
navigate to a new page, and the user is no longer authenticated
2. This appears to only be happening on the live server (which is
shared hosting - limited access). I have added some debugging to a
file, and when the call is made after the time lag
a) the value of HttpContext.Current.User.Identity.Name = "" (so
obviously the user is not authenticated)
b) The ".ASPXAUTH" cookie is no longer set
3. If I look at the cookie expiry (in debug on development machine) it
has an expiry of 01/01/0001, is this okay\normal?
4. Interestingly, if I set the timeout to be short, lets say 1 minute
the application behaves okay, I can navigate on the site for 1 minute -
and after that I am forced to login. So it is respecting the timeout
value - to some degree
5. If I intermittently access the site, then it never seems to timeout.
This adds to the confusion as I have set slidingExpiration="false"
6. This happens on two separate machines, so does not appear to be
machine independent

My Questions
1. Whats happening???
2. I am thinking that possibly the cookie expiration is not getting set
to the same value time as the form timeout. Is this possible?
3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists
and does get passed.
4. Am I correct in assuming I do not need to have SessionState enabled?
I have no need for it so have it disabled.

Any help on this would be appreciated. I feel like I am missing some
configuration - or maybe a complete lack of understanding of Forms
Authentication :)

Thanks.
Patrick.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top