I have a typical ASP.NET 2.0 Forms authentication application which authenticates against Active Directory. I use non-persistent cookie so that the user is NOT remembered across browser sessions. The timeout is set to 10 minutes. Here is the important code snippets that I took from my original code:
string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false, roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
Note that I'm setting the 2nd parameter to false which means that it creates non-persistent cookie. Now I opened the IE browser and logged in by entering the user credentials. I closed the window and there was no other instance of IE running. I opened another IE and entered the URL and it straight away went to default page instead of Login page.
1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that whenever the user closes IE and opens another IE, he should be forced to login once again?
Thanks,
Hari.
string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false, roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
Note that I'm setting the 2nd parameter to false which means that it creates non-persistent cookie. Now I opened the IE browser and logged in by entering the user credentials. I closed the window and there was no other instance of IE running. I opened another IE and entered the URL and it straight away went to default page instead of Login page.
1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that whenever the user closes IE and opens another IE, he should be forced to login once again?
Thanks,
Hari.