By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,851 Members | 1,122 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,851 IT Pros & Developers. It's quick & easy.

IsAuthenticated times out with non-persistent cookie - Why/How?

P: n/a
I'm testing very basic FormsAuthentication and having trouble with
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...

I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.

I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually

That wasted a few hours that could have been avoided by decent
documentation.
Nov 18 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.