Re: Forms-based authentication expires before timeout
From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 02/04/04
- Next message: smanettix: "FormsAuthenticationTicket"
- Previous message: Casper Hornstrup: "Re: MD5 implementation"
- In reply to: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Next in thread: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Reply: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Feb 2004 09:48:37 -0300
Check the page sequence that makes the login page to load.
Are all the pages in this seq. in the same application/forms auth scope ?
Your authz config is something like this?
<authorization>
<deny users = "?" />
<allow users= "*" />
</authorization>
-- Hernan de Lahitte Lagash Systems S.A. http://www.lagash.com "Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message news:7ic12011kkin7m7cvnntpofffb9fuf7en7@4ax.com... > On Mon, 2 Feb 2004 12:18:30 -0300, "Hernan de Lahitte" > <hernan@lagash.com> wrote: > > >If your are experiencing timeout problems, it might be the big gap between > >the session timeout and the Forms cookie timeout renewal. > > Why should the gap cause this problem? > > >The latter, will > >renew it's value when more than half the specified time has elapsed (5 hs). > >If you have a session timeout of 2 hours, then the session will expire long > >before the cookie. So adjusting the forms timeout or the session timeout > >value should solve this problem. However, I agree with Keith comments about > >the suggested timeout values. Remember the "Defense in depth" security > >practice and despite you may have a VPN or plenty of processing resources, > >the majority of the attacks always comes from the inside. > > In a series of page requests after the user has logged in one of the > suddenly fails and the login page is displayed. The timeframe is less > than 10 minutes - a lot less than the timeout. > > Any suggestions? > > Regards > Anders Lybecker > > > >Regards, > > > >Hernan de Lahitte > >Lagash Systems S.A. > >http://www.lagash.com > > > > > > > >"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message > >news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com... > >> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com> > >> wrote: > >> > >> >First of all, 10 hours for session timeout is going to > >> >crush your servers. That's an absolutely resource > >> >intensive approach to session timeouts. > >> > >> I don't care, the we got plenty of resources. :-) > >> The client is always right, and I have nothing to say in this matter. > >> > >> > In addition, it > >> >also represents a security concern that someone could get > >> >up from their session and have it remain active as much > >> >as 10 hours later. I would think 2 hours each value > >> >would be more than adaquate, but in reality 20 minutes is > >> >a good approach for most sites. That means your session > >> >is renewed for 10 hours after each click. > >> > >> Everything is running within as secure VPN network, so security is not > >> that high a concern. > >> > >> >Even so, my gut instinct is that the problem you're > >> >having is related to how you're setting the timeout. > >> >First of all, know that the Administrator can control > >> >session timeout settings. Second, please forward along > >> >the part of your web.config and aspx files where you > >> >programatically set the limits. A common mistake is to > >> >use the server clock to set the session timeout client- > >> >side. Clocks are never in perfect concert. > >> > > >> >What I really think problem is, is that your forms based > >> >authentication ticket isn't being renewed. This is > >> >caused by FormsAuthentication.SlidingExpiration being > >> >false. Check to see at runtime if the value is false. > >> >If so your expiration is not being reset each request. > >> > > >> >Here's a related link: > >> >http://www.asp.net/Forums/ShowPost.aspx? > >> >tabindex=1&PostID=90860 > >> > >> Here is part of the web.config: > >> > >> <authentication mode="Forms"> > >> <forms loginUrl="Login.aspx" timeout="600"/> > >> </authentication> > >> > >> And the single line of code that sets the authentication token from > >> the Login.aspx file: > >> > >> FormsAuthentication.RedirectFromLoginPage(strUserName, False) > >> > >> Am I missing something? > >> > >> Thanks > >> Anders Lybecker > >> > >> > >> >>-----Original Message----- > >> >>Hi, > >> >> > >> >>I'm having a problem with the forms-based > >> >authentication. The user is > >> >>getting timed out before long before the timeout period > >> >has passed. > >> >>The forms-based authentication timeout is set to 10 > >> >hours and session > >> >>timeout to 2 hours. > >> >> > >> >>Has anyone experienced the same problems? > >> >> > >> >>I'm running framework 1.0.3705 on windows 2k server with > >> >IIS 5 > >> >> > >> >>Any help is appreciated. > >> >> > >> >>Regards > >> >>Anders Lybecker > >> >> > >> >>. > >> >> > >> > > >
- Next message: smanettix: "FormsAuthenticationTicket"
- Previous message: Casper Hornstrup: "Re: MD5 implementation"
- In reply to: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Next in thread: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Reply: SPAMFILTER: "Re: Forms-based authentication expires before timeout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
