Forms Authentication Ticket Reissue

From: Stefan Leyhane (sleyhane_at_gmail.com)
Date: 03/28/05

• Next message: Ken Varn: "Security permissions for Win32 LogonUser call."
• Previous message: Prasad Patil: "Dcomconfig Settings for Excel 2003 on Windows XP"
• Next in thread: Hernan de Lahitte: "Re: Forms Authentication Ticket Reissue"
• Reply: Hernan de Lahitte: "Re: Forms Authentication Ticket Reissue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Mar 2005 09:32:50 -0800

When using Forms Authentication with the SlidingExpiration attribute
set to 'true', the authentication ticket is reissued sometime after
half of the timeout value specified has elapsed.

>From the documentation:
"To prevent compromised performance, and to avoid multiple browser
warnings for users that have cookie warnings turned on, the cookie is
updated when more than half the specified time has elapsed."

How is it possible to trap the ticket reissue? I have not been able
to find an event where I can catch it (even the Application_EndRequest
event).

Some more details: I'm using forms authentication with role-based
security in a manner very close to the way it is documented many
places such as at "http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx".
 I'm storing the user's roles in the user data of the authentication
ticket.

I have the added complication that I need to explicitly set the domain
on the authentication cookie since I share it with some other
applications running in other subdomains. For example, if my
application is running in 'dev.xyz.com', the cookie domain gets set to
'xyz.com'. When the authentication ticket is reissued a cookie with
the 'dev.xyz.com' is being created instead -- causing all sorts of
problems.

Any help is appreciated. Thanks,

Stefan

--
Stefan Leyhane

• Next message: Ken Varn: "Security permissions for Win32 LogonUser call."
• Previous message: Prasad Patil: "Dcomconfig Settings for Excel 2003 on Windows XP"
• Next in thread: Hernan de Lahitte: "Re: Forms Authentication Ticket Reissue"
• Reply: Hernan de Lahitte: "Re: Forms Authentication Ticket Reissue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Authentication Ticket Persistance ... Authentication Ticket cookie: ... For some reason my Authentication Ticket Cookie is persisting when ... Any ideas on why this cookie persists and/or how I can stop it? ... (microsoft.public.dotnet.framework.aspnet.security) RE: Authentication Ticket Persistance ... If you set a cookie in one domain, ... >Subject: Authentication Ticket Persistance ... >Any ideas on why this cookie persists and/or how I can stop it? ... (microsoft.public.dotnet.framework.aspnet.security) When exactly are you logged in? (Forms authentication) ... You can't use FormsAuthentication without cookie. ... What you can do is to create your own Authentication ... Create an authentication ticket ... >put it in a session variable and caught this session ... (microsoft.public.dotnet.framework.aspnet.security) Timing (forms) authenticated sessions out. ... I'm experimenting with forms authentication which I've got working (it's ... A cookie is created based on the authentication ticket and there seem to ... What I want is for the user to be timed out after a set time, ... (microsoft.public.dotnet.framework.aspnet.security) RE: Forms authentication cookie handling question (C#) ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ... (microsoft.public.dotnet.framework.aspnet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint