Re: forms authentication question

From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 21 Jan 2006 05:41:47 +0000 (UTC)

Hi,

i don't really see what you are trying to do -

the forms auth auth ticket has a timeout - and 2 renewal modes: sliding and non sliding

in non sliding the timeout is absolute - and users have to reauth after this timeout in sliding the ticket gets renewed for the time specified in timeout after timeout/2

as long as you don't persist cookies and use SSL - i don't see a problem here..?

However, if you store additional data in the cookie - like roles - you should have a manual expiration mechanism to update roles after a certain amount of time. This also gives you the chance to check if the user is still valid/roles have changed.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I want to use forms authentication, but since the forms authentication
cookie is not updated all the time, I want to use server-side to check
for validation user's login status/information. If I create an unique
session key and store it in the forms authentication cookie as custom
data, can I check on every Application_BeginRequest() if the cookie is
expired, and if the cookie is expired but the session key is valid
(validated against the database), call
FormsAuthentication.RenewTicketIfOld and re-set the forms
authentication cookie?

It looks like this would be a good check for making sure that if
someone steals the forms authentication cookie and somehow decrypts
it, they still wouldn't be able to login because of a server-side
check? Or maybe this is not necessary, creates overhead, and not
secure at all? I just want some opinions.

Thanks in advance,
Eric

References:
- forms authentication question
  - From: Eric

Prev by Date: Re: DirectoryEntry.NativeObject slow with ASP.Net, but fast in exe
Next by Date: Re: ASPNETDB-Remote
Previous by thread: forms authentication question
Next by thread: Re: forms authentication question
Index(es):
- Date
- Thread

Relevant Pages

Re: Authentication question
... I also found the settings and chose to set a sliding timeout for the ... complained about having to login when I knew their session had not expired. ... > The session timeout and forms authentication cookie timeout are ... > authentication cookie but all of the inproc session state is gone. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Persistent Cookies
... Yes I know that they arent used for session management. ... happen was the framework itself had set the timeout for a persistent cookie ... set the timeout for persistent cookies in our configuration. ...
(microsoft.public.dotnet.framework.aspnet)
Re: forms authentication question
... sliding timeout or absolute timeout, but my problem is that the ... sliding expiration does not get updated all the time. ... So, if I set the sliding expiration to 20 minutes, the cookie will be updated after 10 minutes, and if the user did something in the first 10 minutes, but then didn't do anything for the next 15 minutes, forms authentication cookie will be timed-out. ... Storing custom session key in the cookie gives me an ability to renew the cookie as long as the session key has not expired. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: forms authentication question
... I can increase the timeout on the forms authentication cookie, but I really would like to keep both the session key and the forms authentication cookie close to each other if possible. ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: forms authentication timeout
... Though there does exist the "timeout" setting in the web.config for forms ... the Forms Authentication Ticket is actually ... Authentication ticket & cookie generation your self in code. ... Microsoft MSDN Online Support Lead ...
(microsoft.public.dotnet.framework.aspnet)