Forms Authentication Cookies Never Expire

Joey Powell

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #1

Subscribe Reply

3855

evolve

2 differnent things

timeout refers to the 'session' timeout
a session object is created on a per user basis when the user accesses the
website
the session on start in global.asax is called before anything
the timeout is reset each time they call a page(can be set in iis console)
session object can be used to hold a bunch of stuff that you define
e.g. session["jobtitle"] = admin (inC#)
when the session eventually timesout
all the session[blah] stuff is lost
the forms admin cookie is entirely different
depending upon how you have set up the authentication in web.config
the user will/won't require a formauth cookie

you can set the expiry on the cookie when you issue the cookie
for instance

set the web config to
deny='?'

this will bounce all users to the http://website/virdir/login.aspx

page where you can ask them to log in
if they enter the correct password
you issue them with a cookie
can put a checkbox 'remember me' or something
which adds an expiration date of 30 days or something
next time they go in
they have the formauth cookie so they won't need to login

hope this helps
"Joey Powell" <jo*********@go ldcoinc.com> wrote in message
news:bd******** *************** ***@posting.goo gle.com...

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #2

evolve

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #3

Mike Moore [MSFT]

Hi Joey,

One possibility is that your logon page is being cached somewhere. This is
described in an article.
263730 Site Server Users May Be Authenticated Under the Wrong Account
http://kb/article.asp?id=Q263730

Try adding this to your logon page.
Response.Cache. SetCacheability (HttpCacheabili ty.NoCache)

---
The next step is to try a sample application to see if it has the same
problem. Please create a new project according to this article:
http://msdn.microsoft.com/library/en...lecookieauthen
tication.asp

Does it have the same problem?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------

From: jo*********@gol dcoinc.com (Joey Powell)
Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
Subject: Forms Authentication Cookies Never Expire
Date: 3 Dec 2003 20:27:47 -0800
Organization: http://groups.google.com
Lines: 32
Message-ID: <bd************ **************@ posting.google. com>
NNTP-Posting-Host: 69.29.57.101
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google. com 1070512067 21189 127.0.0.1 (4 Dec 2003 04:27:47 GMT) X-Complaints-To: gr**********@go ogle.com
NNTP-Posting-Date: Thu, 4 Dec 2003 04:27:47 +0000 (UTC)
Path: cpmsftngxa07.ph x.gbl!cpmsftngx a06.phx.gbl!cpm sftngxa09.phx.g bl!TK2MSFTNGP08 .
phx.gbl!newsfee d00.sul.t-online.de!t-online.de!news-spur1.maxwell.s yr.edu!ne
ws.maxwell.syr. edu!postnews1.g oogle.com!not-for-mail Xref: cpmsftngxa07.ph x.gbl microsoft.publi c.dotnet.framew ork.aspnet:1943 03
X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #4

Similar topics

1882

Forms Authentication Cookie Does Not Expire

by: Joey Powell | last post by:

On my asp.net application, suddenly the forms authentication cookies for all clients have quit expiring. This results in users being able to access the site from day to day without having to log in, even if their browers are closed and then reopened hours apart or even if their machines are rebooted. This behavior did not occur in my application at first. The problem

ASP.NET

444

Forms Authentication Cookies Never Expire

by: Joey Powell | last post by:

ASP.NET

1571

Forms authentications questions

by: john | last post by:

I have 2 questions: 1. I am trying to use forms authentication. When the user logs out, I make these function calls: Session.Abandon(); FormsAuthentication.SignOut(); But after they log out, the user can (e.g. through the web history) go and look at any pages that were already viewed when the session was going on because of the cache. I don't want them to be able to do

ASP.NET

4744

Forms authentication - credential store

by: Martin | last post by:

Dear fellow ASP.NET programmer, I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really practical. I cannot write to web.config so I cannot dynamically update the credentials while the site is up. Since the FormsAuthentication.Authenticate() method's documentations claims the following: "Attempts to validate the credentials against those contained...

ASP.NET

2364

Forms Authenication Cookie Not Expiring Correctly

by: Mike | last post by:

I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie...

ASP.NET

2549

Forms authorization cookie always set to expire in 2055?

by: Amil | last post by:

I'm using Forms authorization. In my <forms> section I have timeout="30", but when I examine the cookie, it shows it expiring in 2055? Why? <authentication mode="Forms"> <forms loginUrl="/login.aspx" protection="All" timeout="30" path="/"> <credentials passwordFormat="Clear">

ASP.NET

2744

Forms authentication cookies not expiring...

by: pv_kannan | last post by:

I recently found out that my authentication cookies are not expiring even though I have set the persist property to false. As a result, users are able to access the secure websites with indifferent results. Any pointers/suggestions would be very appreciated. Things were running as usual till until recently. Here are the relevant pieces of code ==========================================

ASP.NET

1334

A little problem with Forms authentication :-(

by: Simon Harvey | last post by:

Hi All, I'm hoping somebody could help me with the following problem. I'm using forms authentication and the user is getting authenticated no problem. Once authenticated the user can look at all the appropriate pages and so on. When the user is inactive for a set period of time, I want their authentication ticket to expire. As I understand it, the next time the

ASP.NET

5255

Forms Authentication in ASP.NET 2.0

by: Peter Bradley | last post by:

We are in the process of designing our first ASP.NET 2.0 application and have discovered that Forms Authentication works completely differently in ASP.NET 2.0. For a number of reasons, we cannot use the standard login component supplied with ASP.NET 2.0 (e.g. we need full control of the look and feel - including using CSS and not tables for layout - and we need to be able to handle the authentication cookie ourselves rather than let a...

ASP.NET

10364

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10172

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10110

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9967

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

6750

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5536

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

4069

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3670

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2894

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General