«

I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.

Any pointers/suggestions would be very appreciated.

Things were running as usual till until recently.

Here are the relevant pieces of code
==========================================

Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>

Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));

WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}

Check if you are properly signing out the user. On the logout
page/functionality use the following two lines:

Session.Abandon();
FormsAuthentication.SignOut();

Hope this helps.

All the Best,
Ram Adhikari.

"" wrote:

> I recently found out that my authentication cookies are not expiring
> even though I have set the persist property to false. As a result,
> users are able to access the secure websites with indifferent results.
>
> Any pointers/suggestions would be very appreciated.
>
> Things were running as usual till until recently.
>
> Here are the relevant pieces of code
> ==========================================
>
> Web.config
> ----------------
> <authentication mode="Forms">
> <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
> path="/" />
> </authentication>
>
> <authorization>
> <allow users="*" /> <!-- Allow all users -->
> </authorization>
>
> <location path="TellOthers.aspx">
> <system.web>
> <authorization>
> <deny users="?" />
> <allow roles="AuthenticatedActiveMember" />
> </authorization>
> </system.web>
> </location>
>
> Global.ascx.cs
> ===================
> Application_OnAuthenticate
> --------------------------------
> string cookieName = FormsAuthentication.FormsCookieName;
> HttpCookie authCookie = Context.Request.Cookies[cookieName];
>
> SignIn.aspx.cs
> ===============
> //If login is successful
> user.WriteAuthCookie();
> Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
> false));
>
> WriteAuthCookie
> ====================
> /// <summary>
> /// Send an encrypted Authorization cookie
> /// to the user for use when authentication/authorizing
> /// against web pages.
> /// </summary>
> public void WriteAuthCookie()
> {
> //Create the Auth Ticket
> FormsAuthenticationTicket ticket = new
> FormsAuthenticationTicket(1, //version
> Email, //user name
> DateTime.Now, //creation
> DateTime.Now.AddMinutes(60), //expriation
> false, //persistent
> GuestStatus.ToString()); //user data
> //Encrypt the Auth Ticket
> string encryptedTicket = FormsAuthentication.Encrypt(ticket);
> //Create a cookie and add the encrypted ticket to the cookie as data
> HttpCookie cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
>
> //Add the Auth Cookie to the outgoing cookies collection
> HttpContext context = HttpContext.Current;
> context.Response.Cookies.Add(cookie);
> }
>
>

Aren't the cookie supposed to expire when the browser is closed? If
not, how do I expire those cookies when the browser window is closed?

The users are closing and windows and reopening them and are able to
access the secure pages without signing in...


FYI...I do have the Abandon and SignOut in the Logoff button

Session.Abandon();
//Make sure the Auth Cookie is null
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
null);
FormsAuthentication.SignOut();


************************************************** *******************
Ram Adhikari wrote:
> Check if you are properly signing out the user. On the logout
> page/functionality use the following two lines:
>
> Session.Abandon();
> FormsAuthentication.SignOut();
>
> Hope this helps.
>
> All the Best,
> Ram Adhikari.
>
> "" wrote:
>
> > I recently found out that my authentication cookies are not expiring
> > even though I have set the persist property to false. As a result,
> > users are able to access the secure websites with indifferent results.
> >
> > Any pointers/suggestions would be very appreciated.
> >
> > Things were running as usual till until recently.
> >
> > Here are the relevant pieces of code
> > ==========================================
> >
> > Web.config
> > ----------------
> > <authentication mode="Forms">
> > <forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
> > path="/" />
> > </authentication>
> >
> > <authorization>
> > <allow users="*" /> <!-- Allow all users -->
> > </authorization>
> >
> > <location path="TellOthers.aspx">
> > <system.web>
> > <authorization>
> > <deny users="?" />
> > <allow roles="AuthenticatedActiveMember" />
> > </authorization>
> > </system.web>
> > </location>
> >
> > Global.ascx.cs
> > ===================
> > Application_OnAuthenticate
> > --------------------------------
> > string cookieName = FormsAuthentication.FormsCookieName;
> > HttpCookie authCookie = Context.Request.Cookies[cookieName];
> >
> > SignIn.aspx.cs
> > ===============
> > //If login is successful
> > user.WriteAuthCookie();
> > Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
> > false));
> >
> > WriteAuthCookie
> > ====================
> > /// <summary>
> > /// Send an encrypted Authorization cookie
> > /// to the user for use when authentication/authorizing
> > /// against web pages.
> > /// </summary>
> > public void WriteAuthCookie()
> > {
> > //Create the Auth Ticket
> > FormsAuthenticationTicket ticket = new
> > FormsAuthenticationTicket(1, //version
> > Email, //user name
> > DateTime.Now, //creation
> > DateTime.Now.AddMinutes(60), //expriation
> > false, //persistent
> > GuestStatus.ToString()); //user data
> > //Encrypt the Auth Ticket
> > string encryptedTicket = FormsAuthentication.Encrypt(ticket);
> > //Create a cookie and add the encrypted ticket to the cookie as data
> > HttpCookie cookie = new
> > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
> >
> > //Add the Auth Cookie to the outgoing cookies collection
> > HttpContext context = HttpContext.Current;
> > context.Response.Cookies.Add(cookie);
> > }
> >
> >