FormsAuthentication timeout and persistent cookie

Open Support Ticket

Call Support:
Direct: (214) 420-1337
Toll Free: (877) 522-6334

Monday through Friday
8 a.m. to 6 p.m. Central (GMT-6)

Join our Community

Details

4 Replies
0 Subscribers
Postedover 6 years ago

Options

Posted by sgiannone

on Mon, Jun 26 2006 8:53 AM

Hi,

I've found an issue with formsauthentication and persistent cookie.

Scenario:

CS 2.0
ASP.NET 2.0
ASP.NET 2.0 built-in membership/roles/profile

This is a piece of my web.config:

The problem:

1) In the login form, I select "Remember me", so I want a persistent authentication ticket (and cookie)
2) I'm logged on
3) I close the browser, open again, and I'm logged on (nothing strange... it's a persistent cookie)
4) I close the browser, and I wait for 60 minutes. After 60 minutes, I open the web site, and I'm not logged on! (this is STRANGE)

Due to this strange behavior, I inspected the code... and I can see that in "UserCookie.WriteCookie" you add 30 days to the cookie expiration.

The problem is that this is not sufficient in ASP.NET 2.0, because of the new behavior of FormsAuthentication, that will use the "timeout" value you set in web.config file also for persistent cookies.

Googling I've found this:

http://blogs.msdn.com/dansellers/archive/2006/02/15/532359.aspx

This change in ASP.NET 2.0 is not well documented. The only official document I've found is:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGExplained0002.asp

this is an excerpt:
"timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie."

So, the result is that you add 30 days for the cookie expiration... but the ticket will expire after 60 minutes.

What do you think about this problem?

Did you find a solution?

Thanks,

Bye

Posted by Ken Robertson

on Mon, Jun 26 2006 1:33 PM

This has been fixed in CS v2.1. You need to set the timeout higher on the <forms> line (we're using like 9999) and you also need to up the cookieTimeout setting on the <roleManager> line. This will fix the logout issues.

Posted by sgiannone

on Mon, Jun 26 2006 2:02 PM

ken:
This has been fixed in CS v2.1. You need to set the timeout higher on the <forms> line (we're using like 9999) and you also need to up the cookieTimeout setting on the <roleManager> line. This will fix the logout issues.

Setting a higher value is the only fix you've done in CS 2.1, or did you change other things in the code?

In my opinion this will not completely fix the problem. This is only a workaround.

When I set an higher value, I'm goind that also for session cookies... this is not so good, I think. And also, setting 9999, I'm setting about 7 days... so, if I choose to remember my password, and I'll access the web site after 7 days... I'll be logged out again. This goes in conflict with your rule: adding 30 days to the authentication cookie (as I see in the CS 2.0 source code, now).

Posted by Ken Robertson

on Mon, Jun 26 2006 4:06 PM

The issue is not in CS, it is within ASP.NET. In actuality, the bug was in ASP.NET v1.1, in that it ignored those settings. In ASP.NET 2.0, it works as intended, just not as people are used to.

Posted by sgiannone

on Mon, Jun 26 2006 4:16 PM

ken:
The issue is not in CS, it is within ASP.NET.

You're right.

In fact, I think that ASP.NET should allow developers to set 2 timeouts... one for session cookies, and one for persistent cookies. It is not acceptable, in my opinion, to set a "9999" timeout for a session cookie... this is a risk, too. A risk that the user doesn't know...

But this is an ASP.NET problem [:-)]

Anyway, I think that it could be possible, to override this behavior creating a ticket, setting its expiration according to the mode, persistent or session.

http://forums.asp.net/thread/1106700.aspx

If you haven't already do that.... it could be great to have that behavior in CS 2.1 [:-)]

Thanks,

Bye