Forms Authentication Cookies Never Expire

  • Thread starter Thread starter Joey Powell
  • Start date Start date
J

Joey Powell

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?
 
2 differnent things

timeout refers to the 'session' timeout
a session object is created on a per user basis when the user accesses the
website
the session on start in global.asax is called before anything
the timeout is reset each time they call a page(can be set in iis console)
session object can be used to hold a bunch of stuff that you define
e.g. session["jobtitle"] = admin (inC#)
when the session eventually timesout
all the session[blah] stuff is lost


the forms admin cookie is entirely different
depending upon how you have set up the authentication in web.config
the user will/won't require a formauth cookie

you can set the expiry on the cookie when you issue the cookie
for instance

set the web config to
deny='?'

this will bounce all users to the http://website/virdir/login.aspx

page where you can ask them to log in
if they enter the correct password
you issue them with a cookie
can put a checkbox 'remember me' or something
which adds an expiration date of 30 days or something
next time they go in
they have the formauth cookie so they won't need to login

hope this helps
 
Hi Joey,

One possibility is that your logon page is being cached somewhere. This is
described in an article.
263730 Site Server Users May Be Authenticated Under the Wrong Account
http://kb/article.asp?id=Q263730

Try adding this to your logon page.
Response.Cache.SetCacheability(HttpCacheability.NoCache)

---
The next step is to try a sample application to see if it has the same
problem. Please create a new project according to this article:
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsimplecookieauthen
tication.asp

Does it have the same problem?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
 
Back
Top