I recently found out that my authentication cookies are not expiring
even though I have set the persist property to false. As a result,
users are able to access the secure websites with indifferent results.
Any pointers/suggestions would be very appreciated.
Things were running as usual till until recently.
Here are the relevant pieces of code
==========================================
Web.config
----------------
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" name="BCAuthCookie" timeout="60"
path="/" />
</authentication>
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>
<location path="TellOthers.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="AuthenticatedActiveMember" />
</authorization>
</system.web>
</location>
Global.ascx.cs
===================
Application_OnAuthenticate
--------------------------------
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
SignIn.aspx.cs
===============
//If login is successful
user.WriteAuthCookie();
Response.Redirect(FormsAuthentication.GetRedirectU rl(user.Email,
false));
WriteAuthCookie
====================
/// <summary>
/// Send an encrypted Authorization cookie
/// to the user for use when authentication/authorizing
/// against web pages.
/// </summary>
public void WriteAuthCookie()
{
//Create the Auth Ticket
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1, //version
Email, //user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(60), //expriation
false, //persistent
GuestStatus.ToString()); //user data
//Encrypt the Auth Ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//Create a cookie and add the encrypted ticket to the cookie as data
HttpCookie cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
//Add the Auth Cookie to the outgoing cookies collection
HttpContext context = HttpContext.Current;
context.Response.Cookies.Add(cookie);
}
