Windows 2003 Server, Web Farm, Forms Authentication, SlidingExpiration

---

• From: rmgalante@xxxxxxxxxxxx
• Date: Thu, 04 Oct 2007 04:03:01 -0700

---

I have a web farm with 3 machines running windows 2003 server. I am
running an asp.net 2.0 application that uses forms authentication. My
authentication cookie uses sliding expiration and has a timeout of 15
minutes. My session has a timeout of 20 minutes. Session state is
maintained in a Sql Server 2005 database.

My site works with anonymous and authenticated users. Anonymous users
can search for information and purchase products. Authenticated users
are administrators that configure the database with an administrative
menu of scripts.

My web.config has the following configuration in web.config.

<authentication mode="Forms">
<forms cookieless="AutoDetect" slidingExpiration="true" timeout="15"/

</authentication>

I thought that as long as the authenticated user is viewing pages, the
sliding expiration will keep resetting the authentication cookie's
timeout. The admin section uses meta tags in the header of each page
that refresh at 19.5 minutes intervals (0.5 minutes before the session
timeout). This way I can log the user out before the one session
variable I use for UserId gets deleted.

But I am seeing the anonymous users getting redirected to the login
page. These pages do not have the refresh meta tag. And the users are
not logged in. Why are they getting redirected to the Login page.

Is it possible that an administrative user who logs out still has a
cookie in their browser? And if that administrative user surfs the
site as an anonymous user afterwards, the cookie is still detected,
and it expires in 15 minutes?

I need to get to the bottom of this issue. I can't have anonymous
users redirected to a login page.

.

---

• Prev by Date: Re: Unable to encrypt some sections in web.config
• Next by Date: Re: How to get LDAP server?
• Previous by thread: Re: Unable to encrypt some sections in web.config
• Next by thread: Bad Request <OR> Illegal characters in path
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Forms authentication cookie handling question (C#) ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ... (microsoft.public.dotnet.framework.aspnet) RE: Forms Authentication ... The DNS entry for my domain was not set corrretly, ... This should have overcome the cookie ... authentication ticketis not correctly set to the domain your ... Microsoft MSDN Online Support Lead ... (microsoft.public.dotnet.framework.aspnet) RE: Forms authentication cookie handling question (C#) ... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ... (microsoft.public.dotnet.framework.aspnet) Re: authentication cookie vs session cookie ... level of using authentication cookies on the client machines. ... authentication cookie on a manager's machine is stolen and used on a client ... > session variables as it relies on the session cookie that ASP.NET sends to ... (microsoft.public.dotnet.framework.aspnet.security) RE: forms authentication cookie problem ... authentication cookie. ... what's going on on the server. ... >324488 Forms Authentication and View State Fail ... >characters, the browser will still request the page, but ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2007-10