Forms Login Page Not Login Out

i have seen that behavior (to a certain extent) on local machine but once i
put it on my host it does behave...

the behavior i noticed was that if you logged in using forms authentication
and didnot explicitly signout.. ie invalidating the cookie.. . you can still
open a new browser window and you can go straight through... but only for
the period of time where the ticket is valid... ( the session is again
dependant on browser instance.. so i will have a new session)

ie i explicity create forms ticket and i specify a valid till time of 30
mins...

session is a different story all togather... session is not bound by forms
authentication rather by itself it based on whether it receives any request
from client... 20 mins i think is the default timeout... so you can still
hav a valid cookie but can have new session if you log in and not use you
site for 25 mins.. and then start browsing again...

they are two different things (session and authentication) and dont confuse
them.... when you design you app just be sure that you know how exactly it
behaves.

--
Regards,

HD

"Kenneth Keeley" <ke*******@hotmail.com.nowhere> wrote in message
news:uh**************@tk2msftngp13.phx.gbl...

Hi,
I have a web app that has forms authentication and I can login to the
page the first time I go there but it never times me out if I come back in
24 hours a hit the refresh key the page loads and I am still logged in. My
session details are gone but I am still logged.

These are the settings I am using are they right or do I need to change
them?
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="login.aspx"
protection="Validation" timeout="20" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Thanks for the Help
Kenneth

Hi,

"Hermit Dave" <he************@CAPS.AND.DOTS.hotmail.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

i have seen that behavior (to a certain extent) on local machine but once i put it on my host it does behave... So do you think that Mine will be ok?
ie i explicity create forms ticket and i specify a valid till time of 30
mins...

How did you do that.

Thanks

should be alright.. its always worth a try...

here's the code... copying it from my post a few days back...

Here's bit of forms authentication from my project

// Register.aspx.cs - register and log user the first time

private void btnRegister_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.PasswordHash =
FormsAuthentication.HashPasswordForStoringInConfig File(txtPassword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUserInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.Visible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRoles(myUser.Email,
myUser.PasswordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(LoggedUserInfo myUser, bool persistant)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.AddMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentication.FormsCookiePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);
// set cookie's expiration time to ticket's expiration time
if(ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentication.HashPasswordForStoringInConfig File(txtPassword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles(email, passwordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, chkRememberMe.Checked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
else
{
lblErrorMsg.Text = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
timeout = "30"
slidingExpiration="true"
protection="All"
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if(HttpContext.Current.User != null)
{
if(HttpContext.Current.User.Identity.IsAuthenticat ed)
{
if(HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

i can access my user info using
HttpContext.Current.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
--
Regards,

HD
--
Regards,

HD

"Kenneth Keeley" <ke*******@hotmail.com.nowhere> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...

Hi,

"Hermit Dave" <he************@CAPS.AND.DOTS.hotmail.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

i have seen that behavior (to a certain extent) on local machine but

once i

put it on my host it does behave...

So do you think that Mine will be ok?

ie i explicity create forms ticket and i specify a valid till time of 30
mins...

How did you do that.

Thanks

Hi,
Thanks for the sample, But I found it hard to understand and have not been
able to get it to work. I use VB.Net and an SQL database for the user
accounts, Could you help me to make your sample work with this
configuration.

Thanks
Kenneth

Kenneth,

I will try and do some VB.NET code but might take some time as i dont
normally use VB.NET

--
Regards,

HD

"Kenneth Keeley" <ke*******@hotmail.com.nowhere> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...

Hi,
Thanks for the sample, But I found it hard to understand and have not been able to get it to work. I use VB.Net and an SQL database for the user
accounts, Could you help me to make your sample work with this
configuration.

Thanks
Kenneth