Forms Authentication Expiration Problem

From: Edward Henn (henne@saccourt.com.no.spam)
Date: 03/28/03 

From: "Edward Henn" <henne@saccourt.com.no.spam>
Date: Fri, 28 Mar 2003 09:45:57 -0800

cross-posted from framework.aspnet...

My ASP.NET (test) application is using Role-Based Forms Authentication, and
it works fine until the authentication ticket expires. After expiration,
the user is not redirected to the login page again and the user can continue
to access any page in the app as long as they keep the browser session open.
Basically it acts like expriation for the session and/or ticket is set to
"never".

I used this MSDN article
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT02.asp as an
example to create the app. As shown in this article, I am accessing Active
Directory to authenticate, then manually creating a FormsAuth ticket and a
GenericPrincipal object.

Here is the auth-related section of my web.config:

  <authentication mode="Forms">
    <forms loginUrl="Logon.aspx"
           name="adAuthCookie"
           timeout="1"
           protection="All"
           path="/">
    </forms>
  </authentication>

  <authorization>
    <deny users="?" /> <!-- Deny unauthenticated users -->
    <allow users="*" /> <!-- Allow all authenticated users -->
  </authorization>

Does anyone see a problem with this, or has anyone experienced something
similar? Or had success with a similar configuration?

What I have done in the meantime is modify Global.asax.vb's
Application_AuthenticateRequest event to check if the authTicket is Expired,
and if so, to set the ticket to Nothing to kill it. This forces the user to
the login page again. However I don't see any reference to having to do
this in the MSDN example or any other Forms Auth documentation, and it
doesn't seem like I should have to. Any thoughts, comments, questions?
Thanks

Ed

Relevant Pages

  • RE: Membership Provider Woes
    ... You set the FormsAuth ticket on the Login_LoggingIn. ... cookie regardless of whether the user's authentication failed or not. ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication failed - ticket supplied has expired
    ... Forms authentication failed for the request. ... As for the ticket expired issue, is it frequently occuring or just occur ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Mystery Variable Change
    ... we all use different forms of authentication. ... authentication in past and you create a ticket which is stored in the ... >>> dim objconnection as New SqlConnection ... >>> end sub ...
    (microsoft.public.dotnet.framework.aspnet)