468,457 Members | 1,782 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,457 developers. It's quick & easy.

Forms authentication cookies not expiring...

I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.

Any pointers/suggestions would be very appreciated.

Things were running as usual till until recently.

Here are the relevant pieces of code
==========================================

Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>

Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));

WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}

Nov 19 '05 #1
2 2538
Check if you are properly signing out the user. On the logout
page/functionality use the following two lines:

Session.Abandon();
FormsAuthentication.SignOut();

Hope this helps.

All the Best,
Ram Adhikari.

"pv*******@yahoo.com" wrote:
I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.

Any pointers/suggestions would be very appreciated.

Things were running as usual till until recently.

Here are the relevant pieces of code
==========================================

Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>

Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));

WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}

Nov 19 '05 #2
Aren't the cookie supposed to expire when the browser is closed? If
not, how do I expire those cookies when the browser window is closed?

The users are closing and windows and reopening them and are able to
access the secure pages without signing in...
FYI...I do have the Abandon and SignOut in the Logoff button

Session.Abandon();
//Make sure the Auth Cookie is null
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
null);
FormsAuthentication.SignOut();
************************************************** *******************
Ram Adhikari wrote:
Check if you are properly signing out the user. On the logout
page/functionality use the following two lines:

Session.Abandon();
FormsAuthentication.SignOut();

Hope this helps.

All the Best,
Ram Adhikari.

"pv*******@yahoo.com" wrote:
I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.

Any pointers/suggestions would be very appreciated.

Things were running as usual till until recently.

Here are the relevant pieces of code
==========================================

Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>

Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));

WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}


Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Kris van der Mast | last post: by
1 post views Thread by Joey Powell | last post: by
3 posts views Thread by Joey Powell | last post: by
1 post views Thread by Mark Olbert | last post: by
reply views Thread by NPC403 | last post: by
1 post views Thread by subhajit12345 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.