Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Cookie expiration

Reply
Thread Tools

Cookie expiration

 
 
Oriane
Guest
Posts: n/a
 
      01-16-2009
Hi there,

I have deployed my asp.Net 2.0 site and I use a "login" component for the
forms authentication.
Some of my users are telling me that they lost their "credentials" although
they have checked the "Remember me" checkbox.
I've googled a little, but I'm confused with the "authentication timeout"
and the "session timeout" concepts...

Best regards.

Oriane

 
Reply With Quote
 
 
 
 
Alexey Smirnov
Guest
Posts: n/a
 
      01-16-2009
On Jan 16, 3:49*pm, "Oriane" <(E-Mail Removed)> wrote:
> Hi there,
>
> I have deployed my asp.Net 2.0 site and I use a "login" component for the
> forms authentication.
> Some of my users are telling me that they lost their "credentials" although
> they have checked the "Remember me" checkbox.
> I've googled a little, but I'm confused with the "authentication timeout"
> and the "session timeout" concepts...
>
> Best regards.
>
> Oriane


Hi Oriane

"Remember me" based on cookies. Are you sure they don't delete cookies
after they visited your site?
Also, take a look here, maybe you have this problem too
http://forums.asp.net/p/947381/1147268.aspx

Hope this helps
 
Reply With Quote
 
 
 
 
Steven Cheng
Guest
Posts: n/a
 
      01-19-2009
Hi Oriane,

From your description, in your ASP.NET web application which use Forms
authentcation, sometimes the user will encounter unexpected logout
behavior, correct?

As for this problem, I think it is possible that the forms authentication
ticket(generated after user has login/passed the login form) has been lost
or invalid. Are you using the LoginControl to login user(or manually write
code to login, such as FormsAuthentication.RedirectFrom.....)?

Here are some possible causes I can get, you may have a look over them to
see whether the issue is caused by any of them:

** Since ASP.NET forums authentication rely on cookie to store the
authentication ticket, we have to ensure the client-side browser has fully
support on cookie so that the problem is not caused by client-side.

** As for forms authentication, it has a timeout setting, you can check
whether this setting has been manually changed or is configured as a proper
value(or if you leave it as default):

#Forms Authentication timeout default in ASP.NET 2.0
http://weblogs.asp.net/scottgu/archi...08/430011.aspx


** The machinekey problem. And this is what I think the most likely cause.
ASP.NET application need to encrypt and sign many data(such as ViewState,
WebResource url string, and FormsAuthentidcation ticket). However, the Key
used to encrypt/sign data is by default auto-generated by Appdomain, and
the key will change whenever the appdomain restart. Therefore, if your
ASP.NET application has restarted due to some reason(such as unhandled
exception), the forms authentication ticket(and other data rely on the
machine key ) will become invalid for the new application
instance(appdomain). One means to resolve this problem is manually specify
a machinekey for your ASP.NET web application. Here is a msdn article which
introduce the machinekey usage in ASP.NET 2.0:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998288.aspx

If there is anything unclear on this, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
>From: "Oriane" <(E-Mail Removed)>
>Subject: Cookie expiration
>Date: Fri, 16 Jan 2009 15:49:24 +0100


>
>Hi there,
>
>I have deployed my asp.Net 2.0 site and I use a "login" component for the
>forms authentication.
>Some of my users are telling me that they lost their "credentials"

although
>they have checked the "Remember me" checkbox.
>I've googled a little, but I'm confused with the "authentication timeout"
>and the "session timeout" concepts...
>
>Best regards.
>
>Oriane
>
>


 
Reply With Quote
 
Oriane
Guest
Posts: n/a
 
      01-19-2009
Hi Steven,
""Steven Cheng"" <(E-Mail Removed)> a écrit dans le message de
news:iPqWV$(E-Mail Removed)...
> Hi Oriane,
>
> From your description, in your ASP.NET web application which use Forms
> authentcation, sometimes the user will encounter unexpected logout
> behavior, correct?

No When the user connect to my site, I want that on the login page, its
login and password are automatically filled in, if he has check the
"Remember me" checkbox in the asp.net login component.

Apparently, this is not always the case for my web users...

Have a nice day

 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      01-19-2009
On Jan 19, 2:15*pm, "Oriane" <(E-Mail Removed)> wrote:
> Hi Steven,
> ""Steven Cheng"" <(E-Mail Removed)> a écrit dans le message denews:iPqWV$(E-Mail Removed)...> Hi Oriane,
>
> > From your description, in your ASP.NET web application which use Forms
> > authentcation, sometimes the user will encounter unexpected logout
> > behavior, correct?

>
> No *When the user connect to my site, I want that on the login page, its
> login and password are automatically filled in, if he has check the
> "Remember me" checkbox in the asp.net login component.
>
> Apparently, this is not always the case for my web users...
>
> Have a nice day


"Remember me" works differently. If you set the DisplayRememberMe
property to true and a user selected the Remember me, the
authentication token will be stored in a persistent cookie in the
browser with a default expiry of 50 years. It means next time when he
or she logs in, he/she will be authenticated automatically without
showing the login form.
 
Reply With Quote
 
Oriane
Guest
Posts: n/a
 
      01-19-2009
Hi Alexey,
"Alexey Smirnov" <(E-Mail Removed)> a écrit dans le message de
news:(E-Mail Removed)...

"Remember me" works differently. If you set the DisplayRememberMe
property to true and a user selected the Remember me, the
authentication token will be stored in a persistent cookie in the
browser with a default expiry of 50 years. It means next time when he
or she logs in, he/she will be authenticated automatically without
showing the login form.
So what could explain that the persistent cookie disappears after a while
??? (I'm sure that lmy users don't explictely delete their cookies !).

Oriane

 
Reply With Quote
 
Oriane
Guest
Posts: n/a
 
      01-19-2009
Ok I've undertstood (I think). After the session expiration, the user is
automatically logged out, and THEN he has to retype his login/password. So I
suppose that the cookie (is it the same) is deleted even if it is
persistent.

 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      01-19-2009
On Jan 19, 4:17*pm, "Oriane" <(E-Mail Removed)> wrote:
> Ok I've undertstood (I think). After the session expiration, the user is
> automatically logged out, and THEN he has to retype his login/password. So I
> suppose that the cookie (is it the same) is deleted even if it is
> persistent.


From what I understood, it is working but not for all users. So, I
suppose they delete cookies. They could also check what Privacy
settings (IE - Tools - Internet Options) they have. It can be that
they restrict all/certain cookies.

Hope this helps
 
Reply With Quote
 
Steven Cheng
Guest
Posts: n/a
 
      01-20-2009
Hi Oriane,

Yes, ASP.NET forums authentication rely on a ticket( store in cookie) to
identify whether user is authenticated. There are several causes that could
make authentication ticket no longer exist or valid. That's why I give you
the list to check:

** client-side browser setting, or whether user has manually cleared cookie

** the "timeout" setting of forms authentication. This is also how the
forms authentication cookie is generated(the lifetime). Even you choose to
persist cookie, it will still have a lifetime, not forever

** the machinekey, if the encryption key used for ticket changed, the
client-side ticket will become invalid, in that case the user will also be
redirct to login form.

For detailed check list and info, you can refer to my first reply.
Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.





--------------------
>From: "Oriane" <(E-Mail Removed)>
>Subject: Re: Cookie expiration
>Date: Mon, 19 Jan 2009 16:17:52 +0100


>
>Ok I've undertstood (I think). After the session expiration, the user is
>automatically logged out, and THEN he has to retype his login/password. So

I
>suppose that the cookie (is it the same) is deleted even if it is
>persistent.
>
>


 
Reply With Quote
 
Steven Cheng
Guest
Posts: n/a
 
      01-28-2009
Hi Oriane,

Do you still have any question on this?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(E-Mail Removed).

--------------------
>From: (E-Mail Removed) ("Steven Cheng")
>Organization: Microsoft
>Date: Tue, 20 Jan 2009 03:20:59 GMT
>Subject: Re: Cookie expiration


>
>Hi Oriane,
>
>Yes, ASP.NET forums authentication rely on a ticket( store in cookie) to
>identify whether user is authenticated. There are several causes that

could
>make authentication ticket no longer exist or valid. That's why I give you
>the list to check:
>
>** client-side browser setting, or whether user has manually cleared cookie
>
>** the "timeout" setting of forms authentication. This is also how the
>forms authentication cookie is generated(the lifetime). Even you choose to
>persist cookie, it will still have a lifetime, not forever
>
>** the machinekey, if the encryption key used for ticket changed, the
>client-side ticket will become invalid, in that case the user will also be
>redirct to login form.
>
>For detailed check list and info, you can refer to my first reply.
>Hope this helps.
>
>Sincerely,
>
>Steven Cheng
>
>Microsoft MSDN Online Support Lead
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Expiration (cookie?) Walter Levine ASP .Net 1 04-27-2005 08:09 AM
What relationship between cookie and ticket expiration? =?Utf-8?B?QmlsbCBCb3Jn?= ASP .Net 2 12-23-2004 07:27 AM
Trying to understand ticket/cookie expiration =?Utf-8?B?QmlsbCBCb3Jn?= ASP .Net 0 10-08-2004 10:43 PM
COOKIE EXPIRATION TIME =?Utf-8?B?T2xlZyBMZWlraW4=?= ASP .Net 15 08-04-2004 02:17 PM
Cookie Expiration Brian ASP .Net 0 07-28-2003 07:55 PM



Advertisments