Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Stumped on FormsAuth Cookie Timing Out

Reply
Thread Tools

Stumped on FormsAuth Cookie Timing Out

 
 
George Durzi
Guest
Posts: n/a
 
      09-19-2003
hi all, I am totally stumped, and I need your help.
My authentication cookie (using FormsAuth against Active Directory) is
expiring way too often (like less than 20 minutes). I have it set to expire
in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
application during that time.

Here's all the code which deals with any authentication. Any feedback would
be GREATLY appreciated.

in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
/>
</authentication>

User Login Function (References LDAPAuthentication class, unnecessary for
this example)

#region LoginUser
private void LoginUser()
{
// Retrieve LDAP Connect String and Domain Name
string sADPath =
ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
string sDomain =
ConfigurationSettings.AppSettings["DomainName"].ToString();

// Instance of LdapAuthentication class
LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

try
{
if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
txtPassword.Value.Trim()))
{
// Retrieve a list of AD Groups the User is a Member of
string sGroups = oLdapAuth.GetGroups();

// Create the User's FormsAuthenticationTicket
FormsAuthenticationTicket oAuthTicket = new
FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
DateTime.Now.AddHours(, true, sGroups);
// Encrypt the FormsAuthenticationTicket
string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

// Create the auth cookie for the User
HttpCookie oCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
oCookie.Expires = DateTime.Now.AddHours(;

// Add the cookie to the collection
Response.Cookies.Add(oCookie);

// Redirect the User

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(
), false));
}
else
{
divLoginError.Visible = true;
lblLogin.Text = "* Sorry, you entered incorrect login credentials,
please try again. *";
}
}
catch (Exception ex)
{
throw (ex);
}
}
#endregion

Then in my Application_AuthenticateRequest

#region Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// Retrieve FormsAuthentication Cookie Name
string sCookieName = FormsAuthentication.FormsCookieName;
// Retrieve Authentication Cookie
HttpCookie oCookie = Context.Request.Cookies[sCookieName];

// If cookie doesn't exist, exit function
if (null == oCookie) return;

// Create FormsAuthenticationTicket object
FormsAuthenticationTicket oAuthTicket = null;

try
{
// Retrieve FormsAuthenticationtTicket from encrypted cookie
oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
// Renew the ticket if it's expired
if (oAuthTicket.Expired) oAuthTicket =
FormsAuthentication.RenewTicketIfOld(oAuthTicket);
}
catch (Exception) { return; }

// If FormsAuthenticationtTicket doesn't exist, exit function
if (null == oAuthTicket) return;

// Retrieve array of Group Names from FormsAuthenticationtTicket
string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

// Create a GenericIdentity Object
GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
"LDAPAuthentication");
// Create a GenericPrincipal Object from the GenericIdentity and the
Groups Array
GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
sGroupsArray);

// Assign the current HTTP instance of the application to the
GenericPrincipal object
Context.User = oPrincipal;

}


 
Reply With Quote
 
 
 
 
George Durzi
Guest
Posts: n/a
 
      09-23-2003
Does anyone know if there's another timeout setting that's maybe in IIS?

I've set it in web.config, machine.config, and in my code when creating my
cookie

"George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
news:(E-Mail Removed)...
> hi all, I am totally stumped, and I need your help.
> My authentication cookie (using FormsAuth against Active Directory) is
> expiring way too often (like less than 20 minutes). I have it set to

expire
> in 8 hours. I'm not deploying anything to the site, so I'm not resetting

the
> application during that time.
>
> Here's all the code which deals with any authentication. Any feedback

would
> be GREATLY appreciated.
>
> in web.config
> <authentication mode="Forms">
> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
> />
> </authentication>
>
> User Login Function (References LDAPAuthentication class, unnecessary for
> this example)
>
> #region LoginUser
> private void LoginUser()
> {
> // Retrieve LDAP Connect String and Domain Name
> string sADPath =
> ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
> string sDomain =
> ConfigurationSettings.AppSettings["DomainName"].ToString();
>
> // Instance of LdapAuthentication class
> LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
>
> try
> {
> if (true == oLdapAuth.IsAuthenticated(sDomain,

txtUserName.Value.Trim(),
> txtPassword.Value.Trim()))
> {
> // Retrieve a list of AD Groups the User is a Member of
> string sGroups = oLdapAuth.GetGroups();
>
> // Create the User's FormsAuthenticationTicket
> FormsAuthenticationTicket oAuthTicket = new
> FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
> DateTime.Now.AddHours(, true, sGroups);
> // Encrypt the FormsAuthenticationTicket
> string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
>
> // Create the auth cookie for the User
> HttpCookie oCookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
> oCookie.Expires = DateTime.Now.AddHours(;
>
> // Add the cookie to the collection
> Response.Cookies.Add(oCookie);
>
> // Redirect the User
>
>

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(
> ), false));
> }
> else
> {
> divLoginError.Visible = true;
> lblLogin.Text = "* Sorry, you entered incorrect login credentials,
> please try again. *";
> }
> }
> catch (Exception ex)
> {
> throw (ex);
> }
> }
> #endregion
>
> Then in my Application_AuthenticateRequest
>
> #region Application_AuthenticateRequest
> protected void Application_AuthenticateRequest(Object sender, EventArgs

e)
> {
> // Retrieve FormsAuthentication Cookie Name
> string sCookieName = FormsAuthentication.FormsCookieName;
> // Retrieve Authentication Cookie
> HttpCookie oCookie = Context.Request.Cookies[sCookieName];
>
> // If cookie doesn't exist, exit function
> if (null == oCookie) return;
>
> // Create FormsAuthenticationTicket object
> FormsAuthenticationTicket oAuthTicket = null;
>
> try
> {
> // Retrieve FormsAuthenticationtTicket from encrypted cookie
> oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
> // Renew the ticket if it's expired
> if (oAuthTicket.Expired) oAuthTicket =
> FormsAuthentication.RenewTicketIfOld(oAuthTicket);
> }
> catch (Exception) { return; }
>
> // If FormsAuthenticationtTicket doesn't exist, exit function
> if (null == oAuthTicket) return;
>
> // Retrieve array of Group Names from FormsAuthenticationtTicket
> string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
>
> // Create a GenericIdentity Object
> GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
> "LDAPAuthentication");
> // Create a GenericPrincipal Object from the GenericIdentity and the
> Groups Array
> GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
> sGroupsArray);
>
> // Assign the current HTTP instance of the application to the
> GenericPrincipal object
> Context.User = oPrincipal;
>
> }
>
>



 
Reply With Quote
 
 
 
 
George Durzi
Guest
Posts: n/a
 
      09-25-2003
I thought I'd share the solution.

my colleague pointed out to me that there is a timeout attribute for
sessions that's set in the web.config. It's overriding everything else. I
had to scroll right to see it, that's why I was missing it!

"George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
news:%23o7l$(E-Mail Removed)...
> Does anyone know if there's another timeout setting that's maybe in IIS?
>
> I've set it in web.config, machine.config, and in my code when creating my
> cookie
>
> "George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
> news:(E-Mail Removed)...
> > hi all, I am totally stumped, and I need your help.
> > My authentication cookie (using FormsAuth against Active Directory) is
> > expiring way too often (like less than 20 minutes). I have it set to

> expire
> > in 8 hours. I'm not deploying anything to the site, so I'm not resetting

> the
> > application during that time.
> >
> > Here's all the code which deals with any authentication. Any feedback

> would
> > be GREATLY appreciated.
> >
> > in web.config
> > <authentication mode="Forms">
> > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480"

path="/"
> > />
> > </authentication>
> >
> > User Login Function (References LDAPAuthentication class, unnecessary

for
> > this example)
> >
> > #region LoginUser
> > private void LoginUser()
> > {
> > // Retrieve LDAP Connect String and Domain Name
> > string sADPath =
> > ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
> > string sDomain =
> > ConfigurationSettings.AppSettings["DomainName"].ToString();
> >
> > // Instance of LdapAuthentication class
> > LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
> >
> > try
> > {
> > if (true == oLdapAuth.IsAuthenticated(sDomain,

> txtUserName.Value.Trim(),
> > txtPassword.Value.Trim()))
> > {
> > // Retrieve a list of AD Groups the User is a Member of
> > string sGroups = oLdapAuth.GetGroups();
> >
> > // Create the User's FormsAuthenticationTicket
> > FormsAuthenticationTicket oAuthTicket = new
> > FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
> > DateTime.Now.AddHours(, true, sGroups);
> > // Encrypt the FormsAuthenticationTicket
> > string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
> >
> > // Create the auth cookie for the User
> > HttpCookie oCookie = new
> > HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
> > oCookie.Expires = DateTime.Now.AddHours(;
> >
> > // Add the cookie to the collection
> > Response.Cookies.Add(oCookie);
> >
> > // Redirect the User
> >
> >

>

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(
> > ), false));
> > }
> > else
> > {
> > divLoginError.Visible = true;
> > lblLogin.Text = "* Sorry, you entered incorrect login credentials,
> > please try again. *";
> > }
> > }
> > catch (Exception ex)
> > {
> > throw (ex);
> > }
> > }
> > #endregion
> >
> > Then in my Application_AuthenticateRequest
> >
> > #region Application_AuthenticateRequest
> > protected void Application_AuthenticateRequest(Object sender,

EventArgs
> e)
> > {
> > // Retrieve FormsAuthentication Cookie Name
> > string sCookieName = FormsAuthentication.FormsCookieName;
> > // Retrieve Authentication Cookie
> > HttpCookie oCookie = Context.Request.Cookies[sCookieName];
> >
> > // If cookie doesn't exist, exit function
> > if (null == oCookie) return;
> >
> > // Create FormsAuthenticationTicket object
> > FormsAuthenticationTicket oAuthTicket = null;
> >
> > try
> > {
> > // Retrieve FormsAuthenticationtTicket from encrypted cookie
> > oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
> > // Renew the ticket if it's expired
> > if (oAuthTicket.Expired) oAuthTicket =
> > FormsAuthentication.RenewTicketIfOld(oAuthTicket);
> > }
> > catch (Exception) { return; }
> >
> > // If FormsAuthenticationtTicket doesn't exist, exit function
> > if (null == oAuthTicket) return;
> >
> > // Retrieve array of Group Names from FormsAuthenticationtTicket
> > string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
> >
> > // Create a GenericIdentity Object
> > GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
> > "LDAPAuthentication");
> > // Create a GenericPrincipal Object from the GenericIdentity and the
> > Groups Array
> > GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
> > sGroupsArray);
> >
> > // Assign the current HTTP instance of the application to the
> > GenericPrincipal object
> > Context.User = oPrincipal;
> >
> > }
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Two Different FormsAuth Logins for Same Application =?Utf-8?B?QWxleCBNYWdoZW4=?= ASP .Net 1 09-11-2006 02:12 PM
I think no one knows the answer of timeout in formsauth!!!!!! the one i posted last week.. .NET Follower ASP .Net Security 0 02-09-2004 09:43 AM
Single signon (with FormsAuth) for mutliple web apps Brad ASP .Net Security 3 09-26-2003 02:24 AM
FormsAuth Ticket Keeps Expiring George Durzi ASP .Net Security 0 09-18-2003 03:12 PM
FormsAuth and Sessions Troubles... Jeff ASP .Net Security 0 08-20-2003 07:56 PM



Advertisments