Forms Authentication non-persistent cookie not expiring after closingthe browser


R

rh.krish

I have a typical ASP.NET 2.0 Forms authentication application which
authenticates against Active Directory. I use non-persistent cookie so
that the user is NOT remembered across browser sessions. The timeout
is set to 10 minutes. Here is the important code snippets that I took
from my original code:

string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket =
FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);

Note that I'm setting the 2nd parameter to false which means that it
creates non-persistent cookie. Now I opened the IE browser and logged
in by entering the user credentials. I closed the window and there was
no other instance of IE running. I opened another IE and entered the
URL and it straight away went to default page instead of Login page.

1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that
whenever the user closes IE and opens another IE, he should be forced
to login once again?

Thanks,
Hari.
 
Ad

Advertisements

M

Matthijs Krempel

Hari,

If you authenticate against the Active Directory, why not host your solution
under intergrated security?

That would solve a lot of your problems.

Kind regards,

Matthijs Krempel
 
R

rh.krish

Hi Matthijs - The reason that we are not using Integrated Security and
using Forms is because we have some external (limited) users who
access the application out of our network.

-Hari.
 
Ad

Advertisements

M

Matthijs Krempel

Hi Hari,

You can write a custom membershipprovider, that uses both your custom
authentication scenario and uses the activedirectorymembershipprovider.

Forms authentication will do the rest for you, no mucking about with writing
custom authentication logic.

With kind regards,

Matthijs Krempel
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top