Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Problem with Forms Authentication cookies

Reply
Thread Tools

Problem with Forms Authentication cookies

 
 
Scott
Guest
Posts: n/a
 
      10-15-2003
Hi,

We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain

- Running IIS 5.0 on Win2k Server
- Forms Authentication is setup with a timeout value of 45 minutes in
web.config
- Session timeout is set to 45 minutes in web.config

In viewing the IIS logs, we an see a request for an aspx page (a POST) with
a response of 302. The log shows the cookies sent in with the request -
only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
which we named CSSAuth.

The next request coming is is a GET request for the Forms Authentication
login aspx page. The query string contains the url of the originally
requested page. In this request there is only one cookie - the
ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.

In looking at the logs for NORMAL expired authentication redirects these
requests always contain the CSSAuth cookie, even though it is ezpired. In
the cases where users get redirected to login prior to authentication
timeout, the cookie is missing from the GET request issued in response to
the redirect.

Why is this authentication ticket cookie seen as invalid prior to timeout?
Why is this cookie being removed? What piece of code is responsible for
doing all this?

Scott L.


 
Reply With Quote
 
 
 
 
Rajesh.V
Guest
Posts: n/a
 
      10-16-2003
We had the same problem, after lot of hunting, we found, running Antivirus
software causes the web.config, global.asax or the dll to be touched. The
causes the workerprocess to recycle and u loose all session. And this
happens randomly, and sessions dont last beyond 3 mins.

The best solution is using out of process session management. That is in an
sql server.

"Scott" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We're having an issue with Forms Authentication cookies being treated as
> expired / invalid, and being deleted. This is causing our intranet users a
> great deal of pain
>
> - Running IIS 5.0 on Win2k Server
> - Forms Authentication is setup with a timeout value of 45 minutes in
> web.config
> - Session timeout is set to 45 minutes in web.config
>
> In viewing the IIS logs, we an see a request for an aspx page (a POST)

with
> a response of 302. The log shows the cookies sent in with the request -
> only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
> which we named CSSAuth.
>
> The next request coming is is a GET request for the Forms Authentication
> login aspx page. The query string contains the url of the originally
> requested page. In this request there is only one cookie - the
> ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
>
> In looking at the logs for NORMAL expired authentication redirects these
> requests always contain the CSSAuth cookie, even though it is ezpired.

In
> the cases where users get redirected to login prior to authentication
> timeout, the cookie is missing from the GET request issued in response to
> the redirect.
>
> Why is this authentication ticket cookie seen as invalid prior to timeout?
> Why is this cookie being removed? What piece of code is responsible for
> doing all this?
>
> Scott L.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Problem with Forms Authentication cookies Scott ASP .Net 1 10-16-2003 01:45 PM



Advertisments