Problem with Forms Authentication cookies

From: Scott (ScottLorenz_at_UniversalComputerSys.Com)
Date: 10/15/03 

Date: Wed, 15 Oct 2003 15:09:50 -0500

Hi,

We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain

- Running IIS 5.0 on Win2k Server
- Forms Authentication is setup with a timeout value of 45 minutes in
web.config
- Session timeout is set to 45 minutes in web.config

In viewing the IIS logs, we an see a request for an aspx page (a POST) with
a response of 302. The log shows the cookies sent in with the request -
only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
which we named CSSAuth.

The next request coming is is a GET request for the Forms Authentication
login aspx page. The query string contains the url of the originally
requested page. In this request there is only one cookie - the
ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.

In looking at the logs for NORMAL expired authentication redirects these
requests always contain the CSSAuth cookie, even though it is ezpired. In
the cases where users get redirected to login prior to authentication
timeout, the cookie is missing from the GET request issued in response to
the redirect.

Why is this authentication ticket cookie seen as invalid prior to timeout?
Why is this cookie being removed? What piece of code is responsible for
doing all this?

Scott L.

Relevant Pages

  • Re: Authentication question
    ... I also found the settings and chose to set a sliding timeout for the ... complained about having to login when I knew their session had not expired. ... > The session timeout and forms authentication cookie timeout are ... > authentication cookie but all of the inproc session state is gone. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Problem with Forms Authentication cookies
    ... > only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie, ... > The next request coming is is a GET request for the Forms Authentication ... > In looking at the logs for NORMAL expired authentication redirects these ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Forms Authentication problem with WebRequest
    ... The normal request will go like this: ... handles login, redirects to page.aspx, passes a cookie or url variable ... reqests page.aspx and sends cookie back to server ... - authenticating has nothing to do with this scenario, but with server authentication. ...
    (microsoft.public.dotnet.framework)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Trying to create a secure app that never times out - very confused
    ... forms authentication, and I am trying to have it so that once a user ... The login is handled by the asp.net login control, ... If I look at the cookie expiry it ... Interestingly, if I set the timeout to be short, lets say 1 minute ...
    (microsoft.public.dotnet.framework.aspnet.security)