Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Cookies expiring when user logs out?

Reply
Thread Tools

Cookies expiring when user logs out?

 
 
Steve
Guest
Posts: n/a
 
      07-05-2007
I'm using forms authentication with my .net 2.0 site.
I'm setting some cookies after the user logs in, and as long
as they stay logged in I can "see" the cookies on subsequent posts.

The problem is that as soon as the user logs out, the cookies are gone.
I know ASP will expire the Ticket cookie, but does it expire
all other cookies too?

Anyone else ever experience this? Is it by design?

Thanks!
S

 
Reply With Quote
 
 
 
 
Scott M.
Guest
Posts: n/a
 
      07-05-2007
How are you setting your cookies? If you aren't providing a good expiration
date, the cookies will become "session" cookies, which only last as long as
the session does.


"Steve" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm using forms authentication with my .net 2.0 site.
> I'm setting some cookies after the user logs in, and as long
> as they stay logged in I can "see" the cookies on subsequent posts.
>
> The problem is that as soon as the user logs out, the cookies are gone.
> I know ASP will expire the Ticket cookie, but does it expire
> all other cookies too?
>
> Anyone else ever experience this? Is it by design?
>
> Thanks!
> S
>



 
Reply With Quote
 
 
 
 
Steve
Guest
Posts: n/a
 
      07-05-2007
Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left out.

In the Page_Load event, the cookie is always null after they've logged out.

Thanks for your quick reply! Let me know if you see anything else I may have
missed.
S



protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
}
}

protected void Login1_LoggedIn(object sender, EventArgs e) {
if (Login1.RememberMeSet) {
HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
cook.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(cook);
}
}

"Scott M." wrote:

> How are you setting your cookies? If you aren't providing a good expiration
> date, the cookies will become "session" cookies, which only last as long as
> the session does.
>
>
> "Steve" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I'm using forms authentication with my .net 2.0 site.
> > I'm setting some cookies after the user logs in, and as long
> > as they stay logged in I can "see" the cookies on subsequent posts.
> >
> > The problem is that as soon as the user logs out, the cookies are gone.
> > I know ASP will expire the Ticket cookie, but does it expire
> > all other cookies too?
> >
> > Anyone else ever experience this? Is it by design?
> >
> > Thanks!
> > S
> >

>
>
>

 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      07-05-2007
HA! Do I feel like an idiot:
if (Request.Cookies["EmpID"] != null) {
Login1.UserName = Response.Cookies["EmpID"].Value;
}
I was checking the Request object if it was null, but referencing the
Response object to get the value. DUH!!!

Sorry for the bother and thanks for your help!!!
S


"Steve" wrote:

> Here's the code... as you can see I am setting the expiration date.
> In the page load I'm looking for the cookie so my team doesn't have to enter
> their User ID every time.
> I'm posting all the code just in case you see anything else I've left out.
>
> In the Page_Load event, the cookie is always null after they've logged out.
>
> Thanks for your quick reply! Let me know if you see anything else I may have
> missed.
> S
>
>
>
> protected void Page_Load(object sender, EventArgs e) {
> if (!IsPostBack) {
> if (Request.Cookies["EmpID"] != null) {
> Login1.UserName = Response.Cookies["EmpID"].Value;
> }
> }
> }
>
> protected void Login1_LoggedIn(object sender, EventArgs e) {
> if (Login1.RememberMeSet) {
> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
> cook.Expires = DateTime.Now.AddYears(1);
> Response.Cookies.Add(cook);
> }
> }
>
> "Scott M." wrote:
>
> > How are you setting your cookies? If you aren't providing a good expiration
> > date, the cookies will become "session" cookies, which only last as long as
> > the session does.
> >
> >
> > "Steve" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I'm using forms authentication with my .net 2.0 site.
> > > I'm setting some cookies after the user logs in, and as long
> > > as they stay logged in I can "see" the cookies on subsequent posts.
> > >
> > > The problem is that as soon as the user logs out, the cookies are gone.
> > > I know ASP will expire the Ticket cookie, but does it expire
> > > all other cookies too?
> > >
> > > Anyone else ever experience this? Is it by design?
> > >
> > > Thanks!
> > > S
> > >

> >
> >
> >

 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      07-05-2007
What happens if someone manually changes the empid cookie on the client?

Will that bring your app in trouble (maybe even security trouble) ?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> HA! Do I feel like an idiot:
> if (Request.Cookies["EmpID"] != null) {
> Login1.UserName = Response.Cookies["EmpID"].Value;
> }
> I was checking the Request object if it was null, but referencing the
> Response object to get the value. DUH!!!
>
> Sorry for the bother and thanks for your help!!!
> S
> "Steve" wrote:
>
>> Here's the code... as you can see I am setting the expiration date.
>> In the page load I'm looking for the cookie so my team doesn't have
>> to enter
>> their User ID every time.
>> I'm posting all the code just in case you see anything else I've left
>> out.
>> In the Page_Load event, the cookie is always null after they've
>> logged out.
>>
>> Thanks for your quick reply! Let me know if you see anything else I
>> may have
>> missed.
>> S
>> protected void Page_Load(object sender, EventArgs e) {
>> if (!IsPostBack) {
>> if (Request.Cookies["EmpID"] != null) {
>> Login1.UserName = Response.Cookies["EmpID"].Value;
>> }
>> }
>> }
>> protected void Login1_LoggedIn(object sender, EventArgs e) {
>> if (Login1.RememberMeSet) {
>> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
>> cook.Expires = DateTime.Now.AddYears(1);
>> Response.Cookies.Add(cook);
>> }
>> }
>> "Scott M." wrote:
>>
>>> How are you setting your cookies? If you aren't providing a good
>>> expiration date, the cookies will become "session" cookies, which
>>> only last as long as the session does.
>>>
>>> "Steve" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>
>>>> I'm using forms authentication with my .net 2.0 site.
>>>> I'm setting some cookies after the user logs in, and as long
>>>> as they stay logged in I can "see" the cookies on subsequent posts.
>>>> The problem is that as soon as the user logs out, the cookies are
>>>> gone.
>>>> I know ASP will expire the Ticket cookie, but does it expire
>>>> all other cookies too?
>>>> Anyone else ever experience this? Is it by design?
>>>>
>>>> Thanks!
>>>> S



 
Reply With Quote
 
Scott M.
Guest
Posts: n/a
 
      07-05-2007
> I was checking the Request object if it was null, but referencing the
> Response object to get the value. DUH!!!


Actually you were doing it the other way around!


 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      07-06-2007
This isn't a public web site, only internal to our intranet, and it's only
being used by people on my team, so security concerns of this nature aren't
paramount.
Forms authentication for this app is used more as a way of establishing ID
vs security.

Thanks for the heads up though.....

"Dominick Baier" wrote:

> What happens if someone manually changes the empid cookie on the client?
>
> Will that bring your app in trouble (maybe even security trouble) ?
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > HA! Do I feel like an idiot:
> > if (Request.Cookies["EmpID"] != null) {
> > Login1.UserName = Response.Cookies["EmpID"].Value;
> > }
> > I was checking the Request object if it was null, but referencing the
> > Response object to get the value. DUH!!!
> >
> > Sorry for the bother and thanks for your help!!!
> > S
> > "Steve" wrote:
> >
> >> Here's the code... as you can see I am setting the expiration date.
> >> In the page load I'm looking for the cookie so my team doesn't have
> >> to enter
> >> their User ID every time.
> >> I'm posting all the code just in case you see anything else I've left
> >> out.
> >> In the Page_Load event, the cookie is always null after they've
> >> logged out.
> >>
> >> Thanks for your quick reply! Let me know if you see anything else I
> >> may have
> >> missed.
> >> S
> >> protected void Page_Load(object sender, EventArgs e) {
> >> if (!IsPostBack) {
> >> if (Request.Cookies["EmpID"] != null) {
> >> Login1.UserName = Response.Cookies["EmpID"].Value;
> >> }
> >> }
> >> }
> >> protected void Login1_LoggedIn(object sender, EventArgs e) {
> >> if (Login1.RememberMeSet) {
> >> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
> >> cook.Expires = DateTime.Now.AddYears(1);
> >> Response.Cookies.Add(cook);
> >> }
> >> }
> >> "Scott M." wrote:
> >>
> >>> How are you setting your cookies? If you aren't providing a good
> >>> expiration date, the cookies will become "session" cookies, which
> >>> only last as long as the session does.
> >>>
> >>> "Steve" <(E-Mail Removed)> wrote in message
> >>> news:(E-Mail Removed)...
> >>>
> >>>> I'm using forms authentication with my .net 2.0 site.
> >>>> I'm setting some cookies after the user logs in, and as long
> >>>> as they stay logged in I can "see" the cookies on subsequent posts.
> >>>> The problem is that as soon as the user logs out, the cookies are
> >>>> gone.
> >>>> I know ASP will expire the Ticket cookie, but does it expire
> >>>> all other cookies too?
> >>>> Anyone else ever experience this? Is it by design?
> >>>>
> >>>> Thanks!
> >>>> S

>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logs button not opening Logs GUI Lester Lane Cisco 6 08-28-2009 10:02 AM
WinXP Home SP2 logs in then right away logs off Andrew Computer Support 15 10-19-2004 09:45 AM
Win XP SP2 Logs in then Logs out awallwork at sign gmail dot com Computer Support 2 10-16-2004 08:19 PM
Win XP SP2 Logs in then Logs out Andrew Computer Support 2 10-16-2004 04:27 PM
WinXP Home SP2 Logs on then Logs off awallwork at sign gmail dot com Computer Support 2 10-16-2004 02:28 AM



Advertisments