472,145 Members | 1,378 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,145 software developers and data experts.

IsAuthenticated times out with non-persistent cookie - Why/How?

I'm testing very basic FormsAuthentication and having trouble with
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...

I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.

I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually

That wasted a few hours that could have been avoided by decent
Nov 18 '05 #1
0 1706

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Nedu N | last post: by
reply views Thread by Luis Fajardo | last post: by
2 posts views Thread by Johnnie Norsworthy | last post: by
2 posts views Thread by Andrea | last post: by
2 posts views Thread by Zulander | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.