By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,854 Members | 2,004 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,854 IT Pros & Developers. It's quick & easy.

Forms Authenication Cookie Not Expiring Correctly

P: n/a
I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
Nov 18 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a

I have tracked it down to the code in the global.asax. If i comment out the Application_AuthenticateRequest code the user is redirected to the login page after the authentication ticket has expired. I don't know why the cookie is in the Request object as it should have expired and never sent to the server. Is this a bug in MS's example or in the way that the expiration time is set on the cookie or in the fact that the cookie is being sent to the server??? Thanks

Mik

protected void Application_AuthenticateRequest(Object sender, EventArgs e

//extract the forms authentication cooki
string cookieName = FormsAuthentication.FormsCookieName
HttpCookie authCookie = Context.Request.Cookies[cookieName]

if (null == authCookie

//there is no authentication cooki
return
//extract and decrypt the authentication ticket from the forms authentication cooki
FormsAuthenticationTicket authTicket = null
try

authTicket = FormsAuthentication.Decrypt(authCookie.Value)

catch//(Exception ex

return
if (null == authTicket

//cookie failed to decry
return

else if (authTicket.Expired

return
//parse out the pipe separate list of role names attached to the ticket whe
//the user was originally authenticate
//when the ticket was created, the UserData property was assigned
//pipe delimited string of role name
string[] roles = authTicket.UserData.Split(new char[] {'|'})

//create a FormsIdentity object with the user name obtained from the ticket nam
//and a GenericPrincipal object that contains this identity together with the user's role lis

//create an Identity objec
FormsIdentity id = new FormsIdentity(authTicket)

//this principal will flow throughout the reques
GenericPrincipal principal = new GenericPrincipal(id, roles)

//attach the new principal object to the current HttpContext objec
Context.User = principal
----- Mike wrote: ----

I have a web application that the forms authentication cookie is not expiring correctly. When I look at the trace information of a newly requested page after the session and forms authentication have expired the forms authentication cookie is assigned a new value. I am never redirected to the login page after my initial login. If I access the site from http://localhost/myapp instead of myapp.domain.com the cookies expire correctly. The cookie are be sent/recieved by the client as I'm able to store data in the session and I can get past the login page. Any Ideas???
Nov 18 '05 #2

P: n/a
"Mike" <an*******@discussions.microsoft.com> wrote in message
news:1E**********************************@microsof t.com...

I have tracked it down to the code in the global.asax. If i comment

out the Application_AuthenticateRequest code the user is redirected to the
login page after the authentication ticket has expired. I don't know why the
cookie is in the Request object as it should have expired and never sent to
the server. Is this a bug in MS's example or in the way that the expiration
time is set on the cookie or in the fact that the cookie is being sent to
the server??? Thanks!

Check on the domain being assigned to the cookie. If you get different
results based on the URL, it's probably a domain problem (though there's a
small chance it could be a path problem).
--
John Saunders
johnwsaundersiii at hotmail
Nov 18 '05 #3

P: n/a
Hardcoded domain before cookie was sent to browser and still have same problem. The path is set to "/"

Mik

----- John Saunders wrote: ----

"Mike" <an*******@discussions.microsoft.com> wrote in messag
news:1E**********************************@microsof t.com..
I have tracked it down to the code in the global.asax. If i commen

out the Application_AuthenticateRequest code the user is redirected to th
login page after the authentication ticket has expired. I don't know why th
cookie is in the Request object as it should have expired and never sent t
the server. Is this a bug in MS's example or in the way that the expiratio
time is set on the cookie or in the fact that the cookie is being sent t
the server??? Thanks

Check on the domain being assigned to the cookie. If you get differen
results based on the URL, it's probably a domain problem (though there's
small chance it could be a path problem)
--
John Saunder
johnwsaundersiii at hotmai

Nov 18 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.