Cookie expiration

  • Thread starter Thread starter Oriane
  • Start date Start date
O

Oriane

Hi there,

I have deployed my asp.Net 2.0 site and I use a "login" component for the
forms authentication.
Some of my users are telling me that they lost their "credentials" although
they have checked the "Remember me" checkbox.
I've googled a little, but I'm confused with the "authentication timeout"
and the "session timeout" concepts...

Best regards.

Oriane
 
Hi there,

I have deployed my asp.Net 2.0 site and I use a "login" component for the
forms authentication.
Some of my users are telling me that they lost their "credentials" although
they have checked the "Remember me" checkbox.
I've googled a little, but I'm confused with the "authentication timeout"
and the "session timeout" concepts...

Best regards.

Oriane

Hi Oriane

"Remember me" based on cookies. Are you sure they don't delete cookies
after they visited your site?
Also, take a look here, maybe you have this problem too
http://forums.asp.net/p/947381/1147268.aspx

Hope this helps
 
Hi Oriane,

From your description, in your ASP.NET web application which use Forms
authentcation, sometimes the user will encounter unexpected logout
behavior, correct?

As for this problem, I think it is possible that the forms authentication
ticket(generated after user has login/passed the login form) has been lost
or invalid. Are you using the LoginControl to login user(or manually write
code to login, such as FormsAuthentication.RedirectFrom.....)?

Here are some possible causes I can get, you may have a look over them to
see whether the issue is caused by any of them:

** Since ASP.NET forums authentication rely on cookie to store the
authentication ticket, we have to ensure the client-side browser has fully
support on cookie so that the problem is not caused by client-side.

** As for forms authentication, it has a timeout setting, you can check
whether this setting has been manually changed or is configured as a proper
value(or if you leave it as default):

#Forms Authentication timeout default in ASP.NET 2.0
http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx


** The machinekey problem. And this is what I think the most likely cause.
ASP.NET application need to encrypt and sign many data(such as ViewState,
WebResource url string, and FormsAuthentidcation ticket). However, the Key
used to encrypt/sign data is by default auto-generated by Appdomain, and
the key will change whenever the appdomain restart. Therefore, if your
ASP.NET application has restarted due to some reason(such as unhandled
exception), the forms authentication ticket(and other data rely on the
machine key ) will become invalid for the new application
instance(appdomain). One means to resolve this problem is manually specify
a machinekey for your ASP.NET web application. Here is a msdn article which
introduce the machinekey usage in ASP.NET 2.0:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998288.aspx

If there is anything unclear on this, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
 
Hi Steven,
"Steven Cheng" said:
Hi Oriane,

From your description, in your ASP.NET web application which use Forms
authentcation, sometimes the user will encounter unexpected logout
behavior, correct?
No :-( When the user connect to my site, I want that on the login page, its
login and password are automatically filled in, if he has check the
"Remember me" checkbox in the asp.net login component.

Apparently, this is not always the case for my web users...

Have a nice day
 
Hi Steven,


No :-(  When the user connect to my site, I want that on the login page, its
login and password are automatically filled in, if he has check the
"Remember me" checkbox in the asp.net login component.

Apparently, this is not always the case for my web users...

Have a nice day

"Remember me" works differently. If you set the DisplayRememberMe
property to true and a user selected the Remember me, the
authentication token will be stored in a persistent cookie in the
browser with a default expiry of 50 years. It means next time when he
or she logs in, he/she will be authenticated automatically without
showing the login form.
 
Hi Alexey,
"Alexey Smirnov" <[email protected]> a écrit dans le message de

"Remember me" works differently. If you set the DisplayRememberMe
property to true and a user selected the Remember me, the
authentication token will be stored in a persistent cookie in the
browser with a default expiry of 50 years. It means next time when he
or she logs in, he/she will be authenticated automatically without
showing the login form.
So what could explain that the persistent cookie disappears after a while
??? (I'm sure that lmy users don't explictely delete their cookies !).

Oriane
 
Ok I've undertstood (I think). After the session expiration, the user is
automatically logged out, and THEN he has to retype his login/password. So I
suppose that the cookie (is it the same) is deleted even if it is
persistent.
 
Ok I've undertstood (I think). After the session expiration, the user is
automatically logged out, and THEN he has to retype his login/password. So I
suppose that the cookie (is it the same) is deleted even if it is
persistent.

From what I understood, it is working but not for all users. So, I
suppose they delete cookies. They could also check what Privacy
settings (IE - Tools - Internet Options) they have. It can be that
they restrict all/certain cookies.

Hope this helps
 
Hi Oriane,

Yes, ASP.NET forums authentication rely on a ticket( store in cookie) to
identify whether user is authenticated. There are several causes that could
make authentication ticket no longer exist or valid. That's why I give you
the list to check:

** client-side browser setting, or whether user has manually cleared cookie

** the "timeout" setting of forms authentication. This is also how the
forms authentication cookie is generated(the lifetime). Even you choose to
persist cookie, it will still have a lifetime, not forever

** the machinekey, if the encryption key used for ticket changed, the
client-side ticket will become invalid, in that case the user will also be
redirct to login form.

For detailed check list and info, you can refer to my first reply.
Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.





--------------------
 
Hi Oriane,

Do you still have any question on this?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

--------------------
 
Hi Steven,
"Steven Cheng" said:
Hi Oriane,

Do you still have any question on this?
No, since I can't really figure out how all that stuff works even if I've
tried to understand the difference between the session expiration, the
cookie time-out, the authentication time-out...
I didn't succeeded in avoiding my users to type their passwords from time to
time...

Best regards
 
Hi Steven,


No, since I can't really figure out how all that stuff works even if I've
tried to understand the difference between the session expiration, the
cookie time-out, the authentication time-out...
I didn't succeeded in avoiding my users to type their passwords from timeto
time...

Best regards

One thing I forgot to tell you and nobody mentioned anything about
this is the following. If you used http://www.site.com/login.aspx then
it saved cookies for www.site.com and "remember me" would work. Then
if you came to http://site.com/login.aspx you will not be
automatically authenticated because cookies are not shared among www.site.com
and site.com. Maybe this is a reason of the problem?

In order to set cookies accessible by both links, you need to
explicitly set the domain for the cookie. Set the cookie domain to
".site.com", you can set it in web.config:

<authentication mode="Forms">
<forms loginUrl="~/login.aspx" domain=".site.com"/>
</authentication>

Another way is to redirect requests from site.com to www.site.com.

If this is still not working and you believe that clients do not
delete cookies, please post your code and web.config configuration. It
is hard to diagnose the problem without seeing the code.

Hope this helps
 
Hi Oriane,

As for forms authentication, the ticket timeout doen't have much things
related to session, therefore you do not need to care about session
timeout. The timeout setting I mentioned is the forms authentication's
timeout(for the ticket). Just set via the following configuration element:

==========
<system.web>
<authentication mode="Forms">
<forms timeout="30"/>
============

#Understanding the Forms Authentication Ticket and Cookie
http://support.microsoft.com/kb/910443

Also, have you also checked the "application restart" case? You can use
some code to monitor application restart/shutdown cases to see whether the
users log their authentication ticket after some certain application
restart incidents.

#Logging ASP.NET Application Shutdown Events
http://weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx''

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

--------------------
 
Hi Steven,
"Steven Cheng" said:
Hi Oriane,

As for forms authentication, the ticket timeout doen't have much things
related to session, therefore you do not need to care about session
timeout. The timeout setting I mentioned is the forms authentication's
timeout(for the ticket). Just set via the following configuration element:

==========
<system.web>
<authentication mode="Forms">
<forms timeout="30"/>
============ ok.

#Understanding the Forms Authentication Ticket and Cookie
http://support.microsoft.com/kb/910443
I will have a look.
Also, have you also checked the "application restart" case? You can use
some code to monitor application restart/shutdown cases to see whether the
users log their authentication ticket after some certain application
restart incidents.
I log these events. Do you mean "whether the
users LOST their authentication ticket after some ..." ?

#Logging ASP.NET Application Shutdown Events
http://weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx''

Thanks for your answer
 
Hi Alexey,
One thing I forgot to tell you and nobody mentioned anything about
this is the following. If you used http://www.site.com/login.aspx then
it saved cookies for www.site.com and "remember me" would work. Then
if you came to http://site.com/login.aspx you will not be
automatically authenticated because cookies are not shared among
www.site.com
and site.com. Maybe this is a reason of the problem? No.

In order to set cookies accessible by both links, you need to
explicitly set the domain for the cookie. Set the cookie domain to
".site.com", you can set it in web.config:

<authentication mode="Forms">
If this is still not working and you believe that clients do not
delete cookies, please post your code and web.config configuration. It
is hard to diagnose the problem without seeing the code.
I'm afraid this is impossible... :-(

Best regards
 
Thanks for your followup Oriane,

Since you've added code to log the application restart event, have you
found any restart log entries or does the forms authentication
timout/ticket lost somewhat matchs the restart intervals? If so, I think
it's the time you can have a look at the following article:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998288.aspx

the above reference mentioned how to explicitly set a machinekey for your
web application so that the forms authentication ticket will be secured via
a fixed key(instead of a random generated key which will vary after
application restart).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
s.

--------------------
 
Thanks for your reply Oriane,

========================
I can't tell...
But do you mean that when the application restarts, it could invalidate my
tickets since the MachineKey would be changed ?
======================
Yes, forms authentication ticket is secured via encryption and the key is
by default auto-generated(since no machinekey is explicitly assigned). So
after application restart, encryption key changed, the former generated
ticket will become invalid. This is a possible cause. You can try
specifying a fixed machinekey to see whether it helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).


--------------------
 
Hi Oriane,

Any further progress on this? If you still have anything unclear, please
feel free to let me know and I'd be glad to help.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

--------------------
 
Back
Top