Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Forms authentication cookies not expiring...

Reply
Thread Tools

Forms authentication cookies not expiring...

 
 
pv_kannan@yahoo.com
Guest
Posts: n/a
 
      08-29-2005
I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.

Any pointers/suggestions would be very appreciated.

Things were running as usual till until recently.

Here are the relevant pieces of code
==========================================

Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>

Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));

WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}

 
Reply With Quote
 
 
 
 
=?Utf-8?B?UmFtIEFkaGlrYXJp?=
Guest
Posts: n/a
 
      08-30-2005
Check if you are properly signing out the user. On the logout
page/functionality use the following two lines:

Session.Abandon();
FormsAuthentication.SignOut();

Hope this helps.

All the Best,
Ram Adhikari.

"(E-Mail Removed)" wrote:

> I recently found out that my authentication cookies are not expiring
> even though I have set the persist property to false. As a result,
> users are able to access the secure websites with indifferent results.
>
> Any pointers/suggestions would be very appreciated.
>
> Things were running as usual till until recently.
>
> Here are the relevant pieces of code
> ==========================================
>
> Web.config
> ----------------
> <authentication mode="Forms">
> <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
> path="/" />
> </authentication>
>
> <authorization>
> <allow users="*" /> <!-- Allow all users -->
> </authorization>
>
> <location path="TellOthers.aspx">
> <system.web>
> <authorization>
> <deny users="?" />
> <allow roles="AuthenticatedActiveMember" />
> </authorization>
> </system.web>
> </location>
>
> Global.ascx.cs
> ===================
> Application_OnAuthenticate
> --------------------------------
> string cookieName = FormsAuthentication.FormsCookieName;
> HttpCookie authCookie = Context.Request.Cookies[cookieName];
>
> SignIn.aspx.cs
> ===============
> //If login is successful
> user.WriteAuthCookie();
> Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
> false));
>
> WriteAuthCookie
> ====================
> /// <summary>
> /// Send an encrypted Authorization cookie
> /// to the user for use when authentication/authorizing
> /// against web pages.
> /// </summary>
> public void WriteAuthCookie()
> {
> //Create the Auth Ticket
> FormsAuthenticationTicket ticket = new
> FormsAuthenticationTicket(1, //version
> Email, //user name
> DateTime.Now, //creation
> DateTime.Now.AddMinutes(60), //expriation
> false, //persistent
> GuestStatus.ToString()); //user data
> //Encrypt the Auth Ticket
> string encryptedTicket = FormsAuthentication.Encrypt(ticket);
> //Create a cookie and add the encrypted ticket to the cookie as data
> HttpCookie cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
>
> //Add the Auth Cookie to the outgoing cookies collection
> HttpContext context = HttpContext.Current;
> context.Response.Cookies.Add(cookie);
> }
>
>

 
Reply With Quote
 
 
 
 
pv_kannan@yahoo.com
Guest
Posts: n/a
 
      08-30-2005
Aren't the cookie supposed to expire when the browser is closed? If
not, how do I expire those cookies when the browser window is closed?

The users are closing and windows and reopening them and are able to
access the secure pages without signing in...


FYI...I do have the Abandon and SignOut in the Logoff button

Session.Abandon();
//Make sure the Auth Cookie is null
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
null);
FormsAuthentication.SignOut();


************************************************** *******************
Ram Adhikari wrote:
> Check if you are properly signing out the user. On the logout
> page/functionality use the following two lines:
>
> Session.Abandon();
> FormsAuthentication.SignOut();
>
> Hope this helps.
>
> All the Best,
> Ram Adhikari.
>
> "(E-Mail Removed)" wrote:
>
> > I recently found out that my authentication cookies are not expiring
> > even though I have set the persist property to false. As a result,
> > users are able to access the secure websites with indifferent results.
> >
> > Any pointers/suggestions would be very appreciated.
> >
> > Things were running as usual till until recently.
> >
> > Here are the relevant pieces of code
> > ==========================================
> >
> > Web.config
> > ----------------
> > <authentication mode="Forms">
> > <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
> > path="/" />
> > </authentication>
> >
> > <authorization>
> > <allow users="*" /> <!-- Allow all users -->
> > </authorization>
> >
> > <location path="TellOthers.aspx">
> > <system.web>
> > <authorization>
> > <deny users="?" />
> > <allow roles="AuthenticatedActiveMember" />
> > </authorization>
> > </system.web>
> > </location>
> >
> > Global.ascx.cs
> > ===================
> > Application_OnAuthenticate
> > --------------------------------
> > string cookieName = FormsAuthentication.FormsCookieName;
> > HttpCookie authCookie = Context.Request.Cookies[cookieName];
> >
> > SignIn.aspx.cs
> > ===============
> > //If login is successful
> > user.WriteAuthCookie();
> > Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
> > false));
> >
> > WriteAuthCookie
> > ====================
> > /// <summary>
> > /// Send an encrypted Authorization cookie
> > /// to the user for use when authentication/authorizing
> > /// against web pages.
> > /// </summary>
> > public void WriteAuthCookie()
> > {
> > //Create the Auth Ticket
> > FormsAuthenticationTicket ticket = new
> > FormsAuthenticationTicket(1, //version
> > Email, //user name
> > DateTime.Now, //creation
> > DateTime.Now.AddMinutes(60), //expriation
> > false, //persistent
> > GuestStatus.ToString()); //user data
> > //Encrypt the Auth Ticket
> > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
> > //Create a cookie and add the encrypted ticket to the cookie as data
> > HttpCookie cookie = new
> > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
> >
> > //Add the Auth Cookie to the outgoing cookies collection
> > HttpContext context = HttpContext.Current;
> > context.Response.Cookies.Add(cookie);
> > }
> >
> >


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Problem with Forms Authentication cookies Scott ASP .Net 1 10-16-2003 01:45 PM



Advertisments