Re: forms authentication question
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Jan 2006 17:40:38 +0000 (UTC)
Hi,
sorry - calling Renew on every request does not make sense. Have read the docs now :))
But you could manually renew the ticket if you want to - i just wouldn't go through the hassle of the session key - and keeping them in sync manually.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Hi,
ok - you made two points
a) avoiding expiration
why don't you just call RenewTicketIfOld on every request?
b) stealing the cookie
if the cookie is expired - it is expired. If someone can steal the cookie (including your session key) - he can keep the ticket alive by regurlarly posting back to the web site. I don't see a security gain here.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comI have 20 minute timeout on the session key. Every time a request is made to the database, the expiration time is updated. I can increase the timeout on the forms authentication cookie, but I really would like to keep both the session key and the forms authentication cookie close to each other if possible. If I set the forms authentication cookie timeout to 40 minutes and I have a page where the code is not hitting the database, then the user will be valid for 40 minutes, instead of 20. But if I set the forms authentication timeout to 20 and then validate the session key (stored in the forms cookie as user's data) against the database, then the timeouts will be in sync. I just don't know what solution is better: increase forms timeout or keep the same timeout for both session key and forms cookie validate/extend the session key on every request.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
so does your session key also have an expiration time? why don't you just set a longer timeout on the forms ticket?
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comThank you for a reply. Yes, the forms authentication cookie has a sliding timeout or absolute timeout, but my problem is that the sliding expiration does not get updated all the time. So, if I set the sliding expiration to 20 minutes, the cookie will be updated after 10 minutes, and if the user did something in the first 10 minutes, but then didn't do anything for the next 15 minutes, forms authentication cookie will be timed-out. That's what I'm trying to avoid. Storing custom session key in the cookie gives me an ability to renew the cookie as long as the session key has not expired. I will also be using in-memory cookie and SSL, so that it will be difficult to steal forms authentication cookie, but if it's stolen, there would be another level of server-side checks that would have to be passed.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
i don't really see what you are trying to do -
the forms auth auth ticket has a timeout - and 2 renewal modes: sliding and non sliding
in non sliding the timeout is absolute - and users have to reauth after this timeout in sliding the ticket gets renewed for the time specified in timeout after timeout/2 as long as you don't persist cookies and use SSL - i don't see a problem here..? However, if you store additional data in the cookie - like roles - you should have a manual expiration mechanism to update roles after a certain amount of time. This also gives you the chance to check if the user is still valid/roles have changed. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comI want to use forms authentication, but since the forms authentication cookie is not updated all the time, I want to use server-side to check for validation user's login status/information. If I create an unique session key and store it in the forms authentication cookie as custom data, can I check on every Application_BeginRequest() if the cookie is expired, and if the cookie is expired but the session key is valid (validated against the database), call FormsAuthentication.RenewTicketIfOld and re-set the forms authentication cookie?
It looks like this would be a good check for making sure that if someone steals the forms authentication cookie and somehow decrypts it, they still wouldn't be able to login because of a server-side check? Or maybe this is not necessary, creates overhead, and not secure at all? I just want some opinions.
Thanks in advance, Eric
.
- Follow-Ups:
- Re: forms authentication question
- From: Eric
- Re: forms authentication question
- References:
- Re: forms authentication question
- From: Dominick Baier [DevelopMentor]
- Re: forms authentication question
- Prev by Date: Re: forms authentication question
- Next by Date: Re: forms authentication question
- Previous by thread: Re: forms authentication question
- Next by thread: Re: forms authentication question
- Index(es):
Relevant Pages
|
