Cookie Confusion with FormsAuthentication.SetAuthCookie() Method
The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.
This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.
You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.
You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).
Another important thing to remember is the parameter slidingExpiration:
<authentication mode="Forms">
<forms loginUrl="~/Partner/LogOn" defaultUrl="~/Home/Index"
timeout="30" slidingExpiration="true" />
</authentication>
if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.
What you can do - and what I've done - is to write your own cookie like this:
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //version
userName, // user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(30), //Expiration (you can set it to 1 month
true, //Persistent
userData); // additional informations
Update
I've implemented this routine cause I want to store my groups in an encrypted cookie:
Dim authTicket As System.Web.Security.FormsAuthenticationTicket = _
New System.Web.Security.FormsAuthenticationTicket( _
1, _
UserName, _
Now, _
Now.AddYears(100), _
createPersistentCookie, _
UserData)
Dim encryptedTicket As String = System.Web.Security.FormsAuthentication.Encrypt(authTicket)
Dim authCookie As HttpCookie = New HttpCookie( _
System.Web.Security.FormsAuthentication.FormsCookieName, _
encryptedTicket)
If (createPersistentCookie) Then
authCookie.Expires = authTicket.Expiration
End If
Response.Cookies.Add(authCookie)
As you can see I've set the expiration of the authentication cookie and the authentication ticket with the same timeout (only when persisted).
Another thing that I've tried is to stored username and password in the encrypted cookie. Everytime a masterpage is loaded I check My.Profile.Current.IsAuthenticated to see if the authentication is still valid. If not I read the cookie again, get the username and password, and check it on the DB:
Public Function ReadCookieAuthentication(ByVal Context As System.Web.HttpContext) As Security.CookieAuth
Dim CookieUserData = New Security.CookieAuth()
Dim cookieName As String = System.Web.Security.FormsAuthentication.FormsCookieName
Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)
If (Not (authCookie Is Nothing)) Then
Dim authTicket As System.Web.Security.FormsAuthenticationTicket = Nothing
Try
authTicket = System.Web.Security.FormsAuthentication.Decrypt(authCookie.Value)
If (Not (authTicket Is Nothing)) Then
If (authTicket.UserData IsNot Nothing) AndAlso Not String.IsNullOrEmpty(authTicket.UserData) Then
CookieUserData = New JavaScriptSerializer().Deserialize(Of Security.CookieAuth)(authTicket.UserData.ToString)
End If
CookieUserData.UserName = authTicket.Name
End If
Catch ex As Exception
' Do nothing.
End Try
End If
Return (CookieUserData)
End Function
Security.CookieAuth is an object I've created to return username and password.
CookieUserData is the storage (I save in json format) where I put my password and groups.
Jason
CPO @rocksolid. CEO @citysourced (acquired). Angel investor. SoCal native. Love to #surf, get #outdoors, #travel and drink #whiskey. #gobruins
Updated on March 29, 2020Comments
-
Jason about 4 years
So there are lots of posts on StackOverflow regarding this, but I still was unable to solve my exact problem. Here's the gist:
I have a website that requires authentication. I am using the standard .NET
FormsAuthentication.SetAuthCookie()method to persist the user's session.My question is this: In the web.config file, there is a timeout attribute to the "/system.web/authentication/forms" node. If I set this value to say, 30 minutes, is this the time of user inactivity the user can have before their session expires?
The reason I ask is that no matter what I set this value to, if I set persistence to true in SetAuthCookie(), the expiration on the cookie set is 90 minutes. If I set persistence to false in SetAuthCookie(), the cookie expiration is set to "end of session".
What is that "Timeout" attribute value actually setting, and how can I get a persistent cookie that lasts a month or a year or longer?
-
gdubs almost 13 yearshi, sorry , i know this has been way too old but just curious, why store it in json format? the password and groups. i am very new to mvc so im still trying to understand the concepts and best practices in developing with it. thanks!
-
LeftyX almost 13 years@gdubs: Yes, I know. It's a bit unusual.I could have chosen another format but I like JSON. Plus with MVC you tend to use JSON quite a lot so I've embraced it as a standard. -
Kiquenet over 5 yearsDifferences: slidingExpiration vs time Expiration vs Persistent cookie ? -
Kiquenet over 5 yearsIf IIS App Pool recyles? Shutdown worker process if idle and recycle worker process Authentication cookie not expires, Session expires.
-
Kiquenet over 5 yearsIf modify Global.asax or Web.config, or Bin folder ?
-
LeftyX over 5 years@Kiquenet: cookies and sessions are different beasts. A persisted cookie will survive not matter what happens to the app pool. Not persisted cookies will expires as soon as they reach the timeout. Sliding Expiration is explained here. They are basically renewed if there is some interaction.
