Cookie Confusion with FormsAuthentication.SetAuthCookie() Method
Asked Answered
A

1

40

So there are lots of posts on StackOverflow regarding this, but I still was unable to solve my exact problem. Here's the gist:

I have a website that requires authentication. I am using the standard .NET FormsAuthentication.SetAuthCookie() method to persist the user's session.

My question is this: In the web.config file, there is a timeout attribute to the "/system.web/authentication/forms" node. If I set this value to say, 30 minutes, is this the time of user inactivity the user can have before their session expires?

The reason I ask is that no matter what I set this value to, if I set persistence to true in SetAuthCookie(), the expiration on the cookie set is 90 minutes. If I set persistence to false in SetAuthCookie(), the cookie expiration is set to "end of session".

What is that "Timeout" attribute value actually setting, and how can I get a persistent cookie that lasts a month or a year or longer?

Aerodyne answered 8/2, 2011 at 23:2 Comment(0)
V
49

The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.

This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.

You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.

You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).

Another important thing to remember is the parameter slidingExpiration:

<authentication mode="Forms">
    <forms loginUrl="~/Partner/LogOn" defaultUrl="~/Home/Index" 
           timeout="30" slidingExpiration="true" />
</authentication>

if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.

What you can do - and what I've done - is to write your own cookie like this:

 FormsAuthenticationTicket authTicket = new
     FormsAuthenticationTicket(1, //version
     userName, // user name
     DateTime.Now,             //creation
     DateTime.Now.AddMinutes(30), //Expiration (you can set it to 1 month
     true,  //Persistent
     userData); // additional informations

Update

I've implemented this routine cause I want to store my groups in an encrypted cookie:

Dim authTicket As System.Web.Security.FormsAuthenticationTicket = _
        New System.Web.Security.FormsAuthenticationTicket( _
            1, _
            UserName, _
            Now, _
            Now.AddYears(100), _
            createPersistentCookie, _
            UserData)

Dim encryptedTicket As String = System.Web.Security.FormsAuthentication.Encrypt(authTicket)

Dim authCookie As HttpCookie = New HttpCookie( _
    System.Web.Security.FormsAuthentication.FormsCookieName, _
    encryptedTicket)

If (createPersistentCookie) Then
    authCookie.Expires = authTicket.Expiration
End If

Response.Cookies.Add(authCookie)

As you can see I've set the expiration of the authentication cookie and the authentication ticket with the same timeout (only when persisted).

Another thing that I've tried is to stored username and password in the encrypted cookie. Everytime a masterpage is loaded I check My.Profile.Current.IsAuthenticated to see if the authentication is still valid. If not I read the cookie again, get the username and password, and check it on the DB:

Public Function ReadCookieAuthentication(ByVal Context As System.Web.HttpContext) As Security.CookieAuth

    Dim CookieUserData = New Security.CookieAuth()

    Dim cookieName As String = System.Web.Security.FormsAuthentication.FormsCookieName
    Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)

    If (Not (authCookie Is Nothing)) Then
        Dim authTicket As System.Web.Security.FormsAuthenticationTicket = Nothing
        Try
            authTicket = System.Web.Security.FormsAuthentication.Decrypt(authCookie.Value)
            If (Not (authTicket Is Nothing)) Then
                If (authTicket.UserData IsNot Nothing) AndAlso Not String.IsNullOrEmpty(authTicket.UserData) Then
                    CookieUserData = New JavaScriptSerializer().Deserialize(Of Security.CookieAuth)(authTicket.UserData.ToString)
                End If
                CookieUserData.UserName = authTicket.Name
            End If
        Catch ex As Exception
            ' Do nothing.
        End Try
    End If

    Return (CookieUserData)

End Function

Security.CookieAuth is an object I've created to return username and password.
CookieUserData is the storage (I save in json format) where I put my password and groups.

Variant answered 9/2, 2011 at 0:16 Comment(6)
hi, sorry , i know this has been way too old but just curious, why store it in json format? the password and groups. i am very new to mvc so im still trying to understand the concepts and best practices in developing with it. thanks!Vicereine
@gdubs: Yes, I know. It's a bit unusual.I could have chosen another format but I like JSON. Plus with MVC you tend to use JSON quite a lot so I've embraced it as a standard.Variant
Differences: slidingExpiration vs time Expiration vs Persistent cookie ?Decahedron
If IIS App Pool recyles? Shutdown worker process if idle and recycle worker process Authentication cookie not expires, Session expires.Decahedron
If modify Global.asax or Web.config, or Bin folder ?Decahedron
@Kiquenet: cookies and sessions are different beasts. A persisted cookie will survive not matter what happens to the app pool. Not persisted cookies will expires as soon as they reach the timeout. Sliding Expiration is explained here. They are basically renewed if there is some interaction.Variant

© 2022 - 2024 — McMap. All rights reserved.