Forms Authenication Cookie Not Expiring Correctly

G

Guest

I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
 
G

Guest

I have tracked it down to the code in the global.asax. If i comment out the Application_AuthenticateRequest code the user is redirected to the login page after the authentication ticket has expired. I don't know why the cookie is in the Request object as it should have expired and never sent to the server. Is this a bug in MS's example or in the way that the expiration time is set on the cookie or in the fact that the cookie is being sent to the server??? Thanks

Mik

protected void Application_AuthenticateRequest(Object sender, EventArgs e

//extract the forms authentication cooki
string cookieName = FormsAuthentication.FormsCookieName
HttpCookie authCookie = Context.Request.Cookies[cookieName]

if (null == authCookie

//there is no authentication cooki
return


//extract and decrypt the authentication ticket from the forms authentication cooki
FormsAuthenticationTicket authTicket = null
try

authTicket = FormsAuthentication.Decrypt(authCookie.Value)

catch//(Exception ex

return


if (null == authTicket

//cookie failed to decry
return

else if (authTicket.Expired

return


//parse out the pipe separate list of role names attached to the ticket whe
//the user was originally authenticate
//when the ticket was created, the UserData property was assigned
//pipe delimited string of role name
string[] roles = authTicket.UserData.Split(new char[] {'|'})

//create a FormsIdentity object with the user name obtained from the ticket nam
//and a GenericPrincipal object that contains this identity together with the user's role lis

//create an Identity objec
FormsIdentity id = new FormsIdentity(authTicket)

//this principal will flow throughout the reques
GenericPrincipal principal = new GenericPrincipal(id, roles)

//attach the new principal object to the current HttpContext objec
Context.User = principal


----- Mike wrote: ----

I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
 
J

John Saunders

Mike said:
I have tracked it down to the code in the global.asax. If i comment
out the Application_AuthenticateRequest code the user is redirected to the
login page after the authentication ticket has expired. I don't know why the
cookie is in the Request object as it should have expired and never sent to
the server. Is this a bug in MS's example or in the way that the expiration
time is set on the cookie or in the fact that the cookie is being sent to
the server??? Thanks!

Check on the domain being assigned to the cookie. If you get different
results based on the URL, it's probably a domain problem (though there's a
small chance it could be a path problem).
 
G

Guest

Hardcoded domain before cookie was sent to browser and still have same problem. The path is set to "/"

Mik

----- John Saunders wrote: ----

out the Application_AuthenticateRequest code the user is redirected to th
login page after the authentication ticket has expired. I don't know why th
cookie is in the Request object as it should have expired and never sent t
the server. Is this a bug in MS's example or in the way that the expiratio
time is set on the cookie or in the fact that the cookie is being sent t
the server??? Thanks

Check on the domain being assigned to the cookie. If you get differen
results based on the URL, it's probably a domain problem (though there's
small chance it could be a path problem)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top