Re: Forms Authentication non-persistent cookie not expiring after closing the browser

Hari,

If you authenticate against the Active Directory, why not host your solution under intergrated security?

That would solve a lot of your problems.

Kind regards,

Matthijs Krempel

<rh.krish@xxxxxxxxx> schreef in bericht news:3de4437f-d2be-4fa2-a02b-e489ea89002d@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a typical ASP.NET 2.0 Forms authentication application which
authenticates against Active Directory. I use non-persistent cookie so
that the user is NOT remembered across browser sessions. The timeout
is set to 10 minutes. Here is the important code snippets that I took
from my original code:

string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket =
FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);

Note that I'm setting the 2nd parameter to false which means that it
creates non-persistent cookie. Now I opened the IE browser and logged
in by entering the user credentials. I closed the window and there was
no other instance of IE running. I opened another IE and entered the
URL and it straight away went to default page instead of Login page.

1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that
whenever the user closes IE and opens another IE, he should be forced
to login once again?

Thanks,
Hari.

.

Relevant Pages

  • Re: How to setup authentication across domains within a forest?
    ... forest, regardless of their location. ... DCs for the domain ... Windows 2003 Server Deployment Guide (Active Directory ... >> authentication db and users authenticate to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Automatically adding www
    ... The browser itself will do this by typing mydomain then ... Since the record for mydomain.com must resolve to Domain Controllers in an ... Active Directory environment there is another work around. ... will work just fine if you use a host header, ...
    (microsoft.public.win2000.dns)
  • Re: XP and IIS newbie question
    ... Only a browser can cache your credentials. ... Alternatively, if you do think that ths may be related to IIS, then can you ... authenticate using my domain username and password (let's call it ... The application thinks I am mycorp/adminJM even when I ...
    (microsoft.public.inetserver.iis)
  • Re: FAQ Topic - How do I prompt a "Save As" dialog for an accepted mime type?
    ... Opera on the bare minimum existence level in the after Browser Wars ... " I ") personal opinion but using an old and rather known slogan ... Why MS decided to make the Windows Updates IE specific is anybody's guess - short of a declaration from MS - but an educated guess would be simple. ... The Update verifies that you are running an authenticate version of Windows and not a pirated version. ...
    (comp.lang.javascript)
  • Re: IIS and session timeouts?
    ... more concerned about public Kiosks both on-site and off- ... If a user authenticated to AD via the browser, ... >on inactivity. ... Users authenticate to our intranet site via W2K ...
    (microsoft.public.win2000.security)