Why authentication Ticket expires

Discussion in 'ASP .Net Security' started by Tony, Nov 13, 2003.

  1. Tony

    Tony Guest

    Can anybody tells if I'm doing something wrong in this code
    and why the user authentication ticket always expires 30
    minutes later, even though I set the cookie expiration
    date to the maximum value, and if I'm reading the cookie
    back the right way ?


    Dim myTicket As New FormsAuthenticationTicket(1, _
    myUser_, _
    DateTime.Now, _
    DateTime.Now.AddMinutes(30), _
    myCheckbox.Checked, _
    myUserData, _
    FormsAuthentication.FormsCookiePath)

    Dim hash As String = FormsAuthentication.Encrypt(myTicket)
    Dim myCookie As HttpCookie
    =New HttpCookie(FormsAuthentication.FormsCookieName, hash)

    If (myTicket.IsPersistent) Then myCookie.Expires=
    DateTime.MaxValue

    Response.Cookies.Add(myCookie)
    Dim url As String = FormsAuthentication.GetRedirectUrl
    (myUser, true)
    Response.Redirect(url)



    'THEN I READ THE COOKIE IN THE Global.asax FILE:
    If (Not (HttpContext.Current.User Is Nothing)) Then
    If (HttpContext.Current.User.Identity.IsAuthenticated) Then
    If (HttpContext.Current.User.Identity.AuthenticationType
    = "Forms") Then

    Dim myID As System.Web.Security.FormsIdentity =
    HttpContext.Current.User.Identity
    Dim myTicket As
    System.Web.Security.FormsAuthenticationTicket = myID.Ticket

    Dim userData As String = myTicket.UserData
    Dim myRoles As String() = Split (userData, ",")
    HttpContext.Current.User = New
    System.Security.Principal.GenericPrincipal(myID, myRoles)
    End If
    End If
    End If
    Tony, Nov 13, 2003
    #1
    1. Advertising

  2. Tony

    MSFT Guest

    Hi Tony,

    In the Constructor of FormsAuthenticationTicket, you have specify the
    expiration date:

    DateTime.Now, _
    DateTime.Now.AddMinutes(30),

    If you change it to:

    DateTime.Now.AddMinutes(60),

    Will the expire date be set to 60 minutes?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Nov 14, 2003
    #2
    1. Advertising

  3. Tony

    tony Guest

    Hi Luke,
    when I set the Ticket expiration time to :
    DateTime.Now.AddMinutes(30)
    and then later I set the Cookie expiration time to the
    maximum value , isn't that suppose to overwite the
    expiration time for the Ticket set in the first statement ?

    What I'm doing basically is:
    create the ticket and set its expiration time to 30 minutes

    then I check if the user checked the Checkbox(remember my
    password) and reset the expiration time to the max value.
    If (myTicket.IsPersistent) Then taskCookie.Expires =
    DateTime.MaxValue



    >-----Original Message-----
    >Hi Tony,
    >
    >In the Constructor of FormsAuthenticationTicket, you have

    specify the
    >expiration date:
    >
    > DateTime.Now, _
    >DateTime.Now.AddMinutes(30),
    >
    >If you change it to:
    >
    >DateTime.Now.AddMinutes(60),
    >
    >Will the expire date be set to 60 minutes?
    >
    >Luke
    >Microsoft Online Support
    >
    >Get Secure! www.microsoft.com/security
    >(This posting is provided "AS IS", with no warranties,

    and confers no
    >rights.)
    >
    >
    >
    >
    >.
    >
    tony, Nov 17, 2003
    #3
  4. Tony

    MSFT Guest

    Hi Tony,

    It won't overwite the expiration time in this way. You may create
    FormsAuthenticationTicket object with different parameters based on the
    myCheckbox.Checked.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Nov 18, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,558
    John Saunders
    Oct 24, 2003
  2. Mr. SweatyFinger
    Replies:
    2
    Views:
    1,747
    Smokey Grindel
    Dec 2, 2006
  3. Lauchlan M
    Replies:
    0
    Views:
    216
    Lauchlan M
    Oct 1, 2003
  4. Anders Lybecker

    Forms-based authentication expires before timeout

    Anders Lybecker, Jan 29, 2004, in forum: ASP .Net Security
    Replies:
    7
    Views:
    216
  5. jfer
    Replies:
    3
    Views:
    543
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page