Re: Persistent Cookies
- From: "sanchita" <sanchita@xxxxxxxxxxxxxx>
- Date: Thu, 5 Apr 2007 11:34:28 -0400
Yes I know that they arent used for session management. Since persistent
cookies arent working the way they were in asp.net 1.1, wherein what used to
happen was the framework itself had set the timeout for a persistent cookie
for days, we didn't have a control over it. However in asp.net 2.0 we can
set the timeout for persistent cookies in our configuration. But the funny
thing is no matter if you want the cookie to be persistent or
non-persistent, both will acquire this timeout value. So it leaves me no
choice but to set one. Scott Gutherie from Microsoft also verifed on this to
us.
Although I'm working out my options and not just setting the timeout value
to a huge number. For the record I'm using Dotnetnuke 2.4 and facing this
problem since I shifted to asp.net 2.0. However my Team leader tells me that
in DNN 4.0 persistent cookies work fine despite the default timeout.
Thanks
Sanchita
"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@xxxxxxxxxxxxxxxxxx> wrote in
message news:ADE74ED7-274F-4938-A1BC-50C9A3C38779@xxxxxxxxxxxxxxxx
You miss the purpose of persistant cookies. They are not used for session
management, they are used for authentication.
A persistent cookie is designed to allow the user to access a secured site
without having to log in again when he hits the site the second time. It
persists the authentication on the client side so it is sent with the
header. The system then automatically logs him in.
Session timeout is a part of your application. While the cookie can
"re-log on" the user if he times out, it cannot change the timeout
behavior on the server just because the user has a cookie.
For the record, you should NOT increase timeout to days. That defeats the
purpose of session management. What you can do is kick the user back to
the start page and abandon session, forcing the timeout. You then provide
a link on the timeout page. This can be a dynamic link back to where he
was working, if you desire. The user will then be logged back in, as the
cookie is there.
This may not be what you envision and make you think you want to increase
session time until the year 2010. Here is why. The session timeout is how
long the server keeps objects in session, meaning in memory on the server.
You set a really long timeout, say two weeks out. That session is now open
for two weeks. User's computer crashes and he opens the browser and hits
your site. You now have 2 two-week sessions for one user. After some work,
the user shuts down and then opens the browser again and hits the site.
You now have 3 two-week sessions for one user. This can go on until you
use all of the memory on the server with just a couple of users.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
*********************************************
Think outside the box!
*********************************************
"sanchita" <sanchita@xxxxxxxxxxxxxx> wrote in message
news:OSj$Xv%23bHHA.1244@xxxxxxxxxxxxxxxxxxxxxxx
Hello everyone,
I didn't get any response in "Security" forum hence posting here again.
I am having problem with persistent cookies. Even after setting
"CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie"
I'm
being logged out after the specifed timeout provided in "forms"
element of web.config.
I read somewhere that lifetime of persistent cookies depend on the
timeout
attribute on the forms authentcation node. If I have to enter a timeout
of
days/weeks then it doesnt really make sense to make my cookie persist in
this fashion, that defies the purpose of persistent cookies.
Any insights welcome
Thanks
Sanchita
.
- Prev by Date: Re: Locating DLLs outside of bin
- Next by Date: Re: can't see my databases
- Previous by thread: Locating DLLs outside of bin
- Next by thread: Re: can't see my databases
- Index(es):
Relevant Pages
|
