Re: forms authentication question
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Jan 2006 15:40:09 +0000 (UTC)
Hi,
so does your session key also have an expiration time? why don't you just set a longer timeout on the forms ticket?
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Thank you for a reply. Yes, the forms authentication cookie has a sliding timeout or absolute timeout, but my problem is that the sliding expiration does not get updated all the time. So, if I set the sliding expiration to 20 minutes, the cookie will be updated after 10 minutes, and if the user did something in the first 10 minutes, but then didn't do anything for the next 15 minutes, forms authentication cookie will be timed-out. That's what I'm trying to avoid. Storing custom session key in the cookie gives me an ability to renew the cookie as long as the session key has not expired. I will also be using in-memory cookie and SSL, so that it will be difficult to steal forms authentication cookie, but if it's stolen, there would be another level of server-side checks that would have to be passed.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
i don't really see what you are trying to do -
the forms auth auth ticket has a timeout - and 2 renewal modes: sliding and non sliding
in non sliding the timeout is absolute - and users have to reauth after this timeout in sliding the ticket gets renewed for the time specified in timeout after timeout/2 as long as you don't persist cookies and use SSL - i don't see a problem here..?
However, if you store additional data in the cookie - like roles - you should have a manual expiration mechanism to update roles after a certain amount of time. This also gives you the chance to check if the user is still valid/roles have changed.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comI want to use forms authentication, but since the forms authentication cookie is not updated all the time, I want to use server-side to check for validation user's login status/information. If I create an unique session key and store it in the forms authentication cookie as custom data, can I check on every Application_BeginRequest() if the cookie is expired, and if the cookie is expired but the session key is valid (validated against the database), call FormsAuthentication.RenewTicketIfOld and re-set the forms authentication cookie?
It looks like this would be a good check for making sure that if someone steals the forms authentication cookie and somehow decrypts it, they still wouldn't be able to login because of a server-side check? Or maybe this is not necessary, creates overhead, and not secure at all? I just want some opinions.
Thanks in advance, Eric
.
- Follow-Ups:
- Re: forms authentication question
- From: Eric
- Re: forms authentication question
- Prev by Date: Re: How to Clear the Integrated Windows authentication credential in .
- Next by Date: Re: forms authentication question
- Previous by thread: Re: forms authentication question
- Next by thread: Re: forms authentication question
- Index(es):
Relevant Pages
|
