interesting form authentication expiration problem

F

francois

hello,

I am using forms authentication and I would like that my authentication
cookie expires after let say 1 minutes (just for the exemple).
When I log in in my longon page, the user has to input a username, password
and the click a button to effectively login.

In the event handler for my button I have the following code:

// create authentication ticket and encrypt it
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
TextBoxUserName.Text, DateTime.Now, DateTime.Now.AddMinutes(1), false,
roles);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);

// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);


You can notice in the constructor of my authentication ticket the presence
of DateTime.Now.AddMinutes(1) which effectively says that if the user did
not made any other requests within 1 minute, his cookie will expires and he
will have to long in again. That works FINE.

Now I want to add role authorization in my system and I read a Microsoft
article that tells me to implement Application_AuthenticateRequest(Object
sender, EventArgs e) in global.asax

I dot it and follow the MS guidelines which mainly consist of creating a
Principal object and assign it to the Context.User property. Then in can get
that User property from anywhere in my application and verify if the user as
the role authorization he needs to view the webpage.
here is the code :

string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(authCookie==null)
{
return;
}

// extract and decrypt the authentication ticket from the forms
authentication cookie
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
return;
}

if (authTicket==null)
{
return;
}

// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});

// Create an Identity object
FormsIdentity formsIdent = new FormsIdentity(authTicket);

// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(formsIdent, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;


Everything is working except that now with this piece of code in my
global.asax file, the authentication cookie never expires anymore... Why ?
Is there anyone who can explain me how this can happen and how I can solve
the problem?

Best regards and thank you in advance for any help

Francois
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,969
Messages
2,570,161
Members
46,705
Latest member
Stefkari24

Latest Threads

Top