R
rh.krish
I have a typical ASP.NET 2.0 Forms authentication application which
authenticates against Active Directory. I use non-persistent cookie so
that the user is NOT remembered across browser sessions. The timeout
is set to 10 minutes. Here is the important code snippets that I took
from my original code:
string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket =
FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
Note that I'm setting the 2nd parameter to false which means that it
creates non-persistent cookie. Now I opened the IE browser and logged
in by entering the user credentials. I closed the window and there was
no other instance of IE running. I opened another IE and entered the
URL and it straight away went to default page instead of Login page.
1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that
whenever the user closes IE and opens another IE, he should be forced
to login once again?
Thanks,
Hari.
authenticates against Active Directory. I use non-persistent cookie so
that the user is NOT remembered across browser sessions. The timeout
is set to 10 minutes. Here is the important code snippets that I took
from my original code:
string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket =
FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
Note that I'm setting the 2nd parameter to false which means that it
creates non-persistent cookie. Now I opened the IE browser and logged
in by entering the user credentials. I closed the window and there was
no other instance of IE running. I opened another IE and entered the
URL and it straight away went to default page instead of Login page.
1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that
whenever the user closes IE and opens another IE, he should be forced
to login once again?
Thanks,
Hari.