Re: Trying to create a secure app that never times out - very confused



As often happens, putting something down in writing clears ones head.
After posting I realised how dumb one of my questions was.

3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists

The auth ticket is obviously stored in a session cookie. I re-ran a
test (the issue seems to only appear after one hour).

Now looking at the Request headers, the auth ticket IS passed in the
request. However, in the page_init of the master page (which is where
I do my authentication) the cookie is now null.

So somehow between the request and the first bit of code I can debug
on, I have lost the cookie.

Over to you folks!!

Kind Regards,
Patrick.


pgorry@xxxxxxxxx wrote:
Hi all,

I am trying to create an new website using ASP.NET 2.0. I am using
forms authentication, and I am trying to have it so that once a user
signs in, they will never time out.

However, after logging in - and then leaving the browser (IE6) open for
a given period (I have not managed to identify this period exactly yet,
usually over half an hour anyway), any call to
HttpContext.Current.User.Identity.IsAuthenticated returns false, and my
app sends them back to the login page.

Here is what I am doing:
1. The login is handled by the asp.net login control, nothing too fancy
in that
2. The web config has the following set:
...
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" timeout="500000"
slidingExpiration="false"></forms>
</authentication>
...
<sessionState mode="Off"></sessionState>
3. Use the following code on the page.init to see if the user is
authenticated HttpContext.Current.User.Identity.IsAuthenticated

And my discoveries:
1. As I said - log in, leave the browser open for a period of time,
navigate to a new page, and the user is no longer authenticated
2. This appears to only be happening on the live server (which is
shared hosting - limited access). I have added some debugging to a
file, and when the call is made after the time lag
a) the value of HttpContext.Current.User.Identity.Name = "" (so
obviously the user is not authenticated)
b) The ".ASPXAUTH" cookie is no longer set
3. If I look at the cookie expiry (in debug on development machine) it
has an expiry of 01/01/0001, is this okay\normal?
4. Interestingly, if I set the timeout to be short, lets say 1 minute
the application behaves okay, I can navigate on the site for 1 minute -
and after that I am forced to login. So it is respecting the timeout
value - to some degree
5. If I intermittently access the site, then it never seems to timeout.
This adds to the confusion as I have set slidingExpiration="false"
6. This happens on two separate machines, so does not appear to be
machine independent

My Questions
1. Whats happening???
2. I am thinking that possibly the cookie expiration is not getting set
to the same value time as the form timeout. Is this possible?
3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists
and does get passed.
4. Am I correct in assuming I do not need to have SessionState enabled?
I have no need for it so have it disabled.

Any help on this would be appreciated. I feel like I am missing some
configuration - or maybe a complete lack of understanding of Forms
Authentication :-)

Thanks.
Patrick.

.



Relevant Pages

  • Re: Authentication question
    ... I also found the settings and chose to set a sliding timeout for the ... complained about having to login when I knew their session had not expired. ... > The session timeout and forms authentication cookie timeout are ... > authentication cookie but all of the inproc session state is gone. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: A little problem with Forms authentication :-(
    ... I'm using forms authentication and the user is getting authenticated no ... should be redirected to the login page. ... I've set the time out for the cookie to the test value of 1 ... redirect from login bit because as I understand it, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Forms Authentication Name property
    ... you specify the name to be used for the authentication ... login page, then this can work. ... A cookie is saved by the BROWSER and ... The BROWSER chooses ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS
    ... allowing an authentication cookie to be passed over an HTTP ... My login script goes into SSL just fine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)