469,649 Members | 1,241 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,649 developers. It's quick & easy.

IsAuthenticated times out with non-persistent cookie - Why/How?

I'm testing very basic FormsAuthentication and having trouble with
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...

I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.

I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually

That wasted a few hours that could have been avoided by decent
documentation.
Nov 18 '05 #1
0 1592

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Nedu N | last post: by
reply views Thread by Luis Fajardo | last post: by
2 posts views Thread by Johnnie Norsworthy | last post: by
2 posts views Thread by Andrea | last post: by
2 posts views Thread by Zulander | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.