S
Scott
Hi,
We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain
- Running IIS 5.0 on Win2k Server
- Forms Authentication is setup with a timeout value of 45 minutes in
web.config
- Session timeout is set to 45 minutes in web.config
In viewing the IIS logs, we an see a request for an aspx page (a POST) with
a response of 302. The log shows the cookies sent in with the request -
only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
which we named CSSAuth.
The next request coming is is a GET request for the Forms Authentication
login aspx page. The query string contains the url of the originally
requested page. In this request there is only one cookie - the
ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
In looking at the logs for NORMAL expired authentication redirects these
requests always contain the CSSAuth cookie, even though it is ezpired. In
the cases where users get redirected to login prior to authentication
timeout, the cookie is missing from the GET request issued in response to
the redirect.
Why is this authentication ticket cookie seen as invalid prior to timeout?
Why is this cookie being removed? What piece of code is responsible for
doing all this?
Scott L.
We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain
- Running IIS 5.0 on Win2k Server
- Forms Authentication is setup with a timeout value of 45 minutes in
web.config
- Session timeout is set to 45 minutes in web.config
In viewing the IIS logs, we an see a request for an aspx page (a POST) with
a response of 302. The log shows the cookies sent in with the request -
only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
which we named CSSAuth.
The next request coming is is a GET request for the Forms Authentication
login aspx page. The query string contains the url of the originally
requested page. In this request there is only one cookie - the
ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
In looking at the logs for NORMAL expired authentication redirects these
requests always contain the CSSAuth cookie, even though it is ezpired. In
the cases where users get redirected to login prior to authentication
timeout, the cookie is missing from the GET request issued in response to
the redirect.
Why is this authentication ticket cookie seen as invalid prior to timeout?
Why is this cookie being removed? What piece of code is responsible for
doing all this?
Scott L.