Non persistent cookie timeout?

B

bashful.belle

I'm using Forms authentication and a non persistent cookie in my
asp.net application.
How do i get the cookie to time out after a period of inactivity, say
10 minutes, and force the user to login again?
If I close the browser, the next time I use the application, it makes
me log in - and That's fine.
However if I keep the browser session open, it keeps my login valid for
as long as the browser is open - I want it to time out.
Specifying the timeout value in the web.config seems to have no effect.
any pointers? Code appended. Thanks!

<authentication mode="Forms">
<forms loginUrl="logon.aspx" name = "portal" timeout="10"
slidingExpiration="true" protection="All" path="/">
</forms>
</authentication>


// Create the authetication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now,
DateTime.Now.AddMinutes(10),false, "");

// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

// Create a cookie and add the encrypted ticket
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
Session.Add("Login", txtUserName.Text);
Session.Add("Group",Group);

Page.SmartNavigation = false;
//Redirect the user to the originally requested page
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,false));
 
S

S. Justin Gengo [MCP]

Belle,

Just after you create your cooke and before you add it to the response use

authCookie.Expires = DateTime.Now.AddMinutes(10);


--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 
B

bashful.belle

But now I have a new problem.....

If I happen to close the browser session before the 10 minute timeout,
and open a new session, it doesnt force me to log in.

I am essentially wanting to use a non persistent cookie that will
expire with the browser session, but will also timeout after a period
of inactivity.

pointers?

thanks.
 
S

S. Justin Gengo [MCP]

Belle,

Use the forms authentication object's redirect:

FormsAuthentication.RedirectFromLoginPage(username.Text, false)

Setting the second parameter to false sets a non-persistent cookie.

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 
B

bashful.belle

Justin,

still no luck....back to square one, the cookie behaves like a non
persistent cookie, and expires only if the browser is closed.
Despite the timeout specified as 10 minutes, the cookie never times
out.... what am I doing wrong?

my web.config:
<authentication mode="Forms">
<forms loginUrl="logon.aspx" name = "portal" timeout="10"
slidingExpiration="true" protection="All" path="/">
</forms>
</authentication>


when the user attempts to logon:
// Create the authetication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now,
DateTime.Now.AddMinutes(10),false, "");
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
// Add the cookie to the outgoing cookies collection.
authCookie.Expires = DateTime.Now.AddMinutes(10);
Response.Cookies.Add(authCookie);

Session.Add("Login", txtUserName.Text);
Session.Add("Group",Group)
Page.SmartNavigation = false;
// Redirect the user to the originally requested page
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);

Do I need to edit the machine.config?

Thanks,
Belle
 
S

S. Justin Gengo [MCP]

Belle,

At this point there are more possibilities than I can go into here. Try
looking through this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000012.asp
It should contain all the information you need. If you don't solve your
problem here let me know. By the way, what are you using the Session object
for? are you using cookies or the session variable for your timeout? If
you're actually using the session then it won't time out until ten minutes
have gone by from the last time the client has contacted the server. And
closing the browser won't mater...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 
B

bashful.belle

I'm using the cookie for timeout.....but unless I close the browser a
timeout never occurs!
ok, a stupid question here, but Do i need to explicitly check for a
cookie timeout, or will the "Application_AuthenticateRequest" in
global.asax take care of it.
Please have a look at my global.asax for my app:

protected void Application_AuthenticateRequest(Object sender, EventArgs
e)
{
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

if(null == authCookie)
{
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}

// When the ticket was created, the UserData property was assigned a
// pipe delimited string of group names.
String[] groups = authTicket.UserData.Split(new char[]{'|'});

// Create an Identity object
GenericIdentity id = new
GenericIdentity(authTicket.Name,"LdapAuthentication");

// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, groups);
// Attach the new principal object to the current HttpContext object
Context.User = principal;

}
Thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Forms Authentication non-persistent cookie not expiring after closingthe browser 3
Forms Authentication non-persistent cookie not expiring after closing the browser 0
Session times out in less time than I set 9
AccessMembershipProvider and persistent tickets 1
Users are timing out, even while they work 6
Why do we need more code in Application_AuthenticateRequest()? 1
Forms authentication cookie handling question (C#) 4
Forms authentication cookies not expiring... 2

Members online

Total: 25 (members: 1, guests: 24)
Robots: 144

Forum statistics

Threads
473,756
Messages
2,569,533
Members
45,007
Latest member
OrderFitnessKetoCapsules

Latest Threads

Top