K
Kepler
I'm testing very basic FormsAuthentication and having trouble with
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...
I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.
I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually
That wasted a few hours that could have been avoided by decent
documentation.
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...
I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.
I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually
That wasted a few hours that could have been avoided by decent
documentation.