IsAuthenticated times out with non-persistent cookie - Why/How?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Kepler (ferretofwrath_at_hotmail.com)
Date: 10/27/04 

Date: 27 Oct 2004 09:27:09 -0700

I'm testing very basic FormsAuthentication and having trouble with
non-persistent cookies. Once authenticated with a non-persistent
cookie, if I leave the browser alone for 30 minutes,
Request.IsAuthenticated returns false on my next request. WHY? At
first I thought it had to do with session timeout, but session timeout
is set to 20 minutes, and I'm still authenticated after 20 minutes.
Thirty minutes is the magic number. I'm at a loss to figure this out
because I can debug and still retrieve the cookie in Quickwatch -
Request.Cookies[".ASPXAUTH"], and it's still there. There's
absolutely no data in that cookie to determine that it should be
invalid. Unless...

I know the default timeout for Forms authentication is 30 minutes, but
if you do ANYTHING to change the expiration date on the authCookie,
you just made a persistent cookie instead of a non-persistent one.
Also, there is no data whatsoever on the cookie itself to let the
system know it should be expired. So, I'm left to think that the
ticket within the cookie must somehow be determining this. If so, how
can I change the timeout value? Is web.config the only way? There's
certainly no way it can be done using GetAuthCookie(). I even find
creating a new FormsAuthenticationTicket to be VERY confusing. The
"expiration" parameter is described as "The expiration date for the
cookie". Only, it's not. It's the expiration date for the ticket
within the cookie. If you touch the expiration date for the actual
cookie, it becomes persistent.

I suppose I may have talked myself through my own problem, but I'll
still post this because I think this is valuable information about an
incredibly unclear process. I have a few options:
- Don't use Request.IsAuthenticated in my
Application_AuthenticateRequest handler. Retrieve the cookie myself
with Request.Cookies[".ASPXAUTH"].
- Change the timeout property of the forms element in web.config
- Don't use GetAuthCookie or SetAuthCookie, create a new
FormsAuthenticationTicket and set the "expiration" parm manually

That wasted a few hours that could have been avoided by decent
documentation.

Relevant Pages

  • Re: Authentication question
    ... I also found the settings and chose to set a sliding timeout for the ... complained about having to login when I knew their session had not expired. ... > The session timeout and forms authentication cookie timeout are ... > authentication cookie but all of the inproc session state is gone. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Trying to create a secure app that never times out - very confused
    ... forms authentication, and I am trying to have it so that once a user ... The login is handled by the asp.net login control, ... If I look at the cookie expiry it ... Interestingly, if I set the timeout to be short, lets say 1 minute ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • FormsAuthentication cookie problems
    ... Our website is confugred to use Forms Authentication. ... are setting the cookie using the RedirectFromLoginPage() which should use ... the timeout value to configure it properly. ... authentication cookie that was assigned previously. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Session Variable Alternative
    ... The only way to avoid loss of data on a timeout is to use a cookie and store ... lengthen the timeout of a session in your web.config. ... It doesn't really matter what authentication method you use, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Authentication question
    ... The session timeout and forms authentication cookie timeout are ... authentication cookie but all of the inproc session state is gone. ...
    (microsoft.public.dotnet.framework.aspnet)