Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication Ticket Reissue

Reply
Thread Tools

Forms Authentication Ticket Reissue

 
 
Stefan Leyhane
Guest
Posts: n/a
 
      03-28-2005
When using Forms Authentication with the SlidingExpiration attribute
set to 'true', the authentication ticket is reissued sometime after
half of the timeout value specified has elapsed.

From the documentation:
"To prevent compromised performance, and to avoid multiple browser
warnings for users that have cookie warnings turned on, the cookie is
updated when more than half the specified time has elapsed."

How is it possible to trap the ticket reissue? I have not been able
to find an event where I can catch it (even the Application_EndRequest
event).

Some more details: I'm using forms authentication with role-based
security in a manner very close to the way it is documented many
places such as at "http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx".
I'm storing the user's roles in the user data of the authentication
ticket.

I have the added complication that I need to explicitly set the domain
on the authentication cookie since I share it with some other
applications running in other subdomains. For example, if my
application is running in 'dev.xyz.com', the cookie domain gets set to
'xyz.com'. When the authentication ticket is reissued a cookie with
the 'dev.xyz.com' is being created instead -- causing all sorts of
problems.

Any help is appreciated. Thanks,

Stefan

--
Stefan Leyhane
 
Reply With Quote
 
 
 
 
Hernan de Lahitte
Guest
Posts: n/a
 
      03-30-2005
What path do you have configured in the path attribute in Forms
configuration ? (the default "/" perhaps?)

The ticket renewal will use the same path that you have configured in your
forms config section or the ccokiepath parameter in RedirectFromLoginPage
method:

RedirectFromLoginPage(string userName, bool createPersistentCookie, string
strCookiePath)

This article (http://www.codeproject.com/aspnet/as...nglesignon.asp) may
be of help as well.

--
Hernan de Lahitte
http://weblogs.aspnet/hernandl



"Stefan Leyhane" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> When using Forms Authentication with the SlidingExpiration attribute
> set to 'true', the authentication ticket is reissued sometime after
> half of the timeout value specified has elapsed.
>
> From the documentation:
> "To prevent compromised performance, and to avoid multiple browser
> warnings for users that have cookie warnings turned on, the cookie is
> updated when more than half the specified time has elapsed."
>
> How is it possible to trap the ticket reissue? I have not been able
> to find an event where I can catch it (even the Application_EndRequest
> event).
>
> Some more details: I'm using forms authentication with role-based
> security in a manner very close to the way it is documented many
> places such as at
> "http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx".
> I'm storing the user's roles in the user data of the authentication
> ticket.
>
> I have the added complication that I need to explicitly set the domain
> on the authentication cookie since I share it with some other
> applications running in other subdomains. For example, if my
> application is running in 'dev.xyz.com', the cookie domain gets set to
> 'xyz.com'. When the authentication ticket is reissued a cookie with
> the 'dev.xyz.com' is being created instead -- causing all sorts of
> problems.
>
> Any help is appreciated. Thanks,
>
> Stefan
>
> --
> Stefan Leyhane



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.Net Forms Authentication - Storing Enrypted Ticket In HttpCookie Mythran ASP .Net 2 03-08-2007 04:50 PM
Forms Authentication Ticket Functionality With Windows Authentication jfer ASP .Net Security 3 09-16-2005 06:30 PM
Forms Authentication Ticket/Cookie values =?Utf-8?B?Y2h1Y2sgcnVkb2xwaA==?= ASP .Net 3 05-19-2005 12:16 AM
forms authentication ticket .userdata vanishing e ASP .Net 1 10-24-2003 06:14 PM
Authentication ticket, cookieless, forms authentication? Lauchlan M ASP .Net Security 0 10-01-2003 12:23 AM



Advertisments