473,385 Members | 2,044 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > forms authentication cookies never expire

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Forms Authentication Cookies Never Expire

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?
Nov 18 '05 #1
3 3806
2 differnent things

timeout refers to the 'session' timeout
a session object is created on a per user basis when the user accesses the
website
the session on start in global.asax is called before anything
the timeout is reset each time they call a page(can be set in iis console)
session object can be used to hold a bunch of stuff that you define
e.g. session["jobtitle"] = admin (inC#)
when the session eventually timesout
all the session[blah] stuff is lost
the forms admin cookie is entirely different
depending upon how you have set up the authentication in web.config
the user will/won't require a formauth cookie

you can set the expiry on the cookie when you issue the cookie
for instance

set the web config to
deny='?'

this will bounce all users to the http://website/virdir/login.aspx

page where you can ask them to log in
if they enter the correct password
you issue them with a cookie
can put a checkbox 'remember me' or something
which adds an expiration date of 30 days or something
next time they go in
they have the formauth cookie so they won't need to login

hope this helps
"Joey Powell" <jo*********@goldcoinc.com> wrote in message
news:bd**************************@posting.google.c om...
This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #2
2 differnent things

timeout refers to the 'session' timeout
a session object is created on a per user basis when the user accesses the
website
the session on start in global.asax is called before anything
the timeout is reset each time they call a page(can be set in iis console)
session object can be used to hold a bunch of stuff that you define
e.g. session["jobtitle"] = admin (inC#)
when the session eventually timesout
all the session[blah] stuff is lost
the forms admin cookie is entirely different
depending upon how you have set up the authentication in web.config
the user will/won't require a formauth cookie

you can set the expiry on the cookie when you issue the cookie
for instance

set the web config to
deny='?'

this will bounce all users to the http://website/virdir/login.aspx

page where you can ask them to log in
if they enter the correct password
you issue them with a cookie
can put a checkbox 'remember me' or something
which adds an expiration date of 30 days or something
next time they go in
they have the formauth cookie so they won't need to login

hope this helps
"Joey Powell" <jo*********@goldcoinc.com> wrote in message
news:bd**************************@posting.google.c om...
This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?

Nov 18 '05 #3
Hi Joey,

One possibility is that your logon page is being cached somewhere. This is
described in an article.
263730 Site Server Users May Be Authenticated Under the Wrong Account
http://kb/article.asp?id=Q263730

Try adding this to your logon page.
Response.Cache.SetCacheability(HttpCacheability.No Cache)

---
The next step is to try a sample application to see if it has the same
problem. Please create a new project according to this article:
http://msdn.microsoft.com/library/en...lecookieauthen
tication.asp

Does it have the same problem?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
From: jo*********@goldcoinc.com (Joey Powell)
Newsgroups: microsoft.public.dotnet.framework.aspnet
Subject: Forms Authentication Cookies Never Expire
Date: 3 Dec 2003 20:27:47 -0800
Organization: http://groups.google.com
Lines: 32
Message-ID: <bd**************************@posting.google.com >
NNTP-Posting-Host: 69.29.57.101
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1070512067 21189 127.0.0.1 (4 Dec 2003 04:27:47 GMT) X-Complaints-To: gr**********@google.com
NNTP-Posting-Date: Thu, 4 Dec 2003 04:27:47 +0000 (UTC)
Path: cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftng xa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!ne
ws.maxwell.syr.edu!postnews1.google.com!not-for-mail Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:194303
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

This message was originally posted to the aspnet.security newsgroup,
but no one there has ever heard of this before. That is why I am
posting this message here, so that more people will see it...

On my asp.net application, suddenly the forms authentication cookies
for clients have quit expiring. This results in users being able to
access the site from day to day without having to log in, even if
their
browers are closed and reopened hours apart or even if their machines
are rebooted. This behavior did not occur in my application at first.
The problem only began after I modified the web.config file from not
having a timeout value at all (which should have used the default
value of
30mins?) to a custom value of timeout="10". Anyways that wouldn't work
right for some reason, so I took that out and went back to no entry
for
the timeout value. Now the cookies never expire! What in the world is
going on here?

---
UPDATE

I have also manually logged out using .SignOut() several times, but
the cookies again do not expire/time-out once the users log back in. I
have also cleared cookies...same results. I have verified that
timeout="30" is present in the authentication tag of web.config just
after the loginUrl value, but still the cookies are not expiring on
ANY client machines...this is crazy!!!

This has been going on now for a couple of weeks and is getting
extremely irritating. Does anyone have a clue about what I can do to
make it work again?


Nov 18 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
Forms Authentication Cookie Does Not Expire
by: Joey Powell | last post by:
On my asp.net application, suddenly the forms authentication cookies for all clients have quit expiring. This results in users being able to access the site from day to day without having to log...
ASP.NET
0
Forms Authentication Cookies Never Expire
by: Joey Powell | last post by:
This message was originally posted to the aspnet.security newsgroup, but no one there has ever heard of this before. That is why I am posting this message here, so that more people will see it... ...
ASP.NET
3
Forms authentications questions
by: john | last post by:
I have 2 questions: 1. I am trying to use forms authentication. When the user logs out, I make these function calls: Session.Abandon(); FormsAuthentication.SignOut(); But after they log out,...
ASP.NET
3
Forms authentication - credential store
by: Martin | last post by:
Dear fellow ASP.NET programmer, I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really practical. I...
ASP.NET
3
Forms Authenication Cookie Not Expiring Correctly
by: Mike | last post by:
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have...
ASP.NET
4
Forms authorization cookie always set to expire in 2055?
by: Amil | last post by:
I'm using Forms authorization. In my <forms> section I have timeout="30", but when I examine the cookie, it shows it expiring in 2055? Why? <authentication mode="Forms"> <forms...
ASP.NET
2
Forms authentication cookies not expiring...
by: pv_kannan | last post by:
I recently found out that my authentication cookies are not expiring even though I have set the persist property to false. As a result, users are able to access the secure websites with indifferent...
ASP.NET
3
A little problem with Forms authentication :-(
by: Simon Harvey | last post by:
Hi All, I'm hoping somebody could help me with the following problem. I'm using forms authentication and the user is getting authenticated no problem. Once authenticated the user can look at...
ASP.NET
10
Forms Authentication in ASP.NET 2.0
by: Peter Bradley | last post by:
We are in the process of designing our first ASP.NET 2.0 application and have discovered that Forms Authentication works completely differently in ASP.NET 2.0. For a number of reasons, we cannot...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!