I have tracked it down to the code in the global.asax. If i comment out the Application_AuthenticateRequest code the user is redirected to the login page after the authentication ticket has expired. I don't know why the cookie is in the Request object as it should have expired and never sent to the server. Is this a bug in MS's example or in the way that the expiration time is set on the cookie or in the fact that the cookie is being sent to the server??? Thanks
Mik
protected void Application_AuthenticateRequest(Object sender, EventArgs e
//extract the forms authentication cooki
string cookieName = FormsAuthentication.FormsCookieName
HttpCookie authCookie = Context.Request.Cookies[cookieName]
if (null == authCookie
//there is no authentication cooki
return
//extract and decrypt the authentication ticket from the forms authentication cooki
FormsAuthenticationTicket authTicket = null
try
authTicket = FormsAuthentication.Decrypt(authCookie.Value)
catch//(Exception ex
return
if (null == authTicket
//cookie failed to decry
return
else if (authTicket.Expired
return
//parse out the pipe separate list of role names attached to the ticket whe
//the user was originally authenticate
//when the ticket was created, the UserData property was assigned
//pipe delimited string of role name
string[] roles = authTicket.UserData.Split(new char[] {'|'})
//create a FormsIdentity object with the user name obtained from the ticket nam
//and a GenericPrincipal object that contains this identity together with the user's role lis
//create an Identity objec
FormsIdentity id = new FormsIdentity(authTicket)
//this principal will flow throughout the reques
GenericPrincipal principal = new GenericPrincipal(id, roles)
//attach the new principal object to the current HttpContext objec
Context.User = principal
----- Mike wrote: ----
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from
http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???