F
francois
hello,
I am using forms authentication and I would like that my authentication
cookie expires after let say 1 minutes (just for the exemple).
When I log in in my longon page, the user has to input a username, password
and the click a button to effectively login.
In the event handler for my button I have the following code:
// create authentication ticket and encrypt it
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
TextBoxUserName.Text, DateTime.Now, DateTime.Now.AddMinutes(1), false,
roles);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
You can notice in the constructor of my authentication ticket the presence
of DateTime.Now.AddMinutes(1) which effectively says that if the user did
not made any other requests within 1 minute, his cookie will expires and he
will have to long in again. That works FINE.
Now I want to add role authorization in my system and I read a Microsoft
article that tells me to implement Application_AuthenticateRequest(Object
sender, EventArgs e) in global.asax
I dot it and follow the MS guidelines which mainly consist of creating a
Principal object and assign it to the Context.User property. Then in can get
that User property from anywhere in my application and verify if the user as
the role authorization he needs to view the webpage.
here is the code :
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(authCookie==null)
{
return;
}
// extract and decrypt the authentication ticket from the forms
authentication cookie
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
return;
}
if (authTicket==null)
{
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});
// Create an Identity object
FormsIdentity formsIdent = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(formsIdent, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
Everything is working except that now with this piece of code in my
global.asax file, the authentication cookie never expires anymore... Why ?
Is there anyone who can explain me how this can happen and how I can solve
the problem?
Best regards and thank you in advance for any help
Francois
I am using forms authentication and I would like that my authentication
cookie expires after let say 1 minutes (just for the exemple).
When I log in in my longon page, the user has to input a username, password
and the click a button to effectively login.
In the event handler for my button I have the following code:
// create authentication ticket and encrypt it
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
TextBoxUserName.Text, DateTime.Now, DateTime.Now.AddMinutes(1), false,
roles);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
You can notice in the constructor of my authentication ticket the presence
of DateTime.Now.AddMinutes(1) which effectively says that if the user did
not made any other requests within 1 minute, his cookie will expires and he
will have to long in again. That works FINE.
Now I want to add role authorization in my system and I read a Microsoft
article that tells me to implement Application_AuthenticateRequest(Object
sender, EventArgs e) in global.asax
I dot it and follow the MS guidelines which mainly consist of creating a
Principal object and assign it to the Context.User property. Then in can get
that User property from anywhere in my application and verify if the user as
the role authorization he needs to view the webpage.
here is the code :
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(authCookie==null)
{
return;
}
// extract and decrypt the authentication ticket from the forms
authentication cookie
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
return;
}
if (authTicket==null)
{
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});
// Create an Identity object
FormsIdentity formsIdent = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(formsIdent, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
Everything is working except that now with this piece of code in my
global.asax file, the authentication cookie never expires anymore... Why ?
Is there anyone who can explain me how this can happen and how I can solve
the problem?
Best regards and thank you in advance for any help
Francois