Forms Authentication Cookie Does Not Expire

  • Thread starter Thread starter Joey Powell
  • Start date Start date
J

Joey Powell

On my asp.net application, suddenly the forms authentication cookies
for all clients have quit expiring. This results in users being able
to
access the site from day to day without having to log in, even if
their
browers are closed and then reopened hours apart or even if their
machines
are rebooted.

This behavior did not occur in my application at first. The problem
only began after I modified the web.config file from not having a
timeout value at all (which should have used the default of 30mins?)
to a custom value of timeout="10". Anyways that wouldn't work right
for some reason so I took that out and went back to no entry for the
timeout value. That is when the problem started happening. Now, even
though I have manually added the timeout value back in and set it to
30, the cookies still never expire! I have posted a snippet of the
web.config file below as it is now...

<authentication mode="Forms">
<forms loginUrl="LogIn.aspx" timeout="30">
<credentials passwordFormat="Clear">
<user name="SomeUser" password="SomePassword"/>
</credentials>
</forms>
</authentication>

<authorization>
<allow users="*"/>
</authorization>

The following section was added to secure the private parts of the
site...

<location path="Portal">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

As you can clearly see, I have indicated a [timeout="30"] value in the
forms tag. I have also done several builds/compiles, but the
authentication cookies never expire. What in the world is going on
here?
 
Hi Joey,

I think you can try to change the name property for Form elment in
web.config. This property specifies the HTTP cookie to use for
authentication. If there is something wrong with your previous cookie's
expire, a new cookie will force it get refresh.

If there problem still occur, you may check the authorication setting for
your web application. <deny users="?"/> only deny anonymous user, not all
"invalid" user.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top