Vivek Thakur

Chaotically Complex
  Home  |   Contact  |   Syndication    |   Login
  102 Posts | 1 Stories | 317 Comments | 66 Trackbacks

News



Archives

ASP.NET Ventures

FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0?

I was answering a query related to FormsAuthentication in ASP.NET 2.0 and got to know that the persistent cookies behavior has been changed in 2.0, means that they take the "timeout" value from the web.config file (even if we manually set the cookies expiry time). The documentation in MSDN(http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx) is also incorrect in my opinion, which says that persistent cookies do not time out. Infact they do and take the value from the web.config timeout attribute (whereas in ASP.NET 1.1 the persistent cookie had a long timeout of around 50  years and did not take the web.config timeout value into account). Here is the code I used:

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
     {
        string Username = "vivekT";
       if (TextBox1.Text == "a")
       {
           HttpCookie cookie = FormsAuthentication.GetAuthCookie(Username, true); //true is used to create a persistent cookie 
           cookie.Expires = DateTime.Now.AddMonths(3); //DOESNT WORK in 2.0 as value is taken from "timeout" attribute in the config file
           Response.Cookies.Add(cookie);
           Response.Redirect(FormsAuthentication.GetRedirectUrl(Username, true));//redirect to the originally requested page
        }
    }
 }//end class

Also, even if I use FormsAuthentication.RedirectFromLoginPage(Username, true) which should have created a persistent cookie, the behavior is not as expected. The timout value from web.config is again “enforced“ making sure that truly persistent cookies become a thing of the past.

I went through another post and realized that this new behavior has "crippled" the "Remember me" check-box functionality as we cannot have persistent as well as non-persistent cookies having different timeouts in ASP.NET 2.0, besides weakening the non-persistent security as mentioned in the same post.

Am I missing something here or has ASP.NET 2.0 really crippled itself?

UPDATED

Thanks to another discussion on the forums I got to know that in ASP.NET 2.0, you need to manually set the FormsAuthenticationTicket's expiration to create a peristsent cookie. See the code below:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(Username, true, 1439200); //should be same as cookie expiration

string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

authCookie.Expires = DateTime.Now.AddMonths(3);//make sure its same as the formsauthentication ticket expiry value

HttpContext.Current.Response.Cookies.Add(authCookie);

Response.Redirect("default.aspx");

posted on Friday, October 13, 2006 9:48 AM

Feedback

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 10/31/2006 4:32 AM Michael
Seems like you need to set the FormsAuthenticationTicket.Expiration in addition to the cookie.Expires.

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 10/31/2006 9:36 PM Vivek
Hi,

Check this post, I do not think this works..but I'll wait for replies here..may be I am doing something stupid :-). Here is the post:
http://forums.asp.net/1448155/ShowThread.aspx#1448155

Vivek

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 2/9/2007 2:21 PM Srikanth Sundaram
The FormsAuthentication.Expiration defines the expiration time for the cookie being set. This works only if the FormsAuthenticationTicket object has it IsPersistent property is set to true or else the cookie is destoyed after the set 'timeout' value.

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 2/28/2007 7:44 PM George
When you use this setting in web.config, it will work for about 30 days:

<authentication mode="Forms" >
<forms timeout="44000" slidingExpiration="true" />
</authentication>

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 3/21/2007 12:38 AM Cody21
After a lot of searching, i found this thread. I coded my web.config file as noted above. When I return to my site, I continually get prompted to LOGIN ...

Has anyone actually got this working?

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 11/9/2007 2:00 AM ReTox
same situation here, Cody21

it works on local machine, but shared host application is always asking me to login

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 3/25/2008 5:38 PM Michele
Hi everyone, about ticket and cookie creation on ASP.NET 2.0, does anybody tried to write a cookie with a .NET 2.0 application and read the same cookie using a .NET 1.1 application?
I don't know if there is compability, but my .net 1.1 solution cannot read the cookie (the Context.Request.Cookies(usercookie) is Nothing.

thank you

# re: FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0? 3/25/2008 10:36 PM Vivek
hi,

yes you can do that. cookies are independent of the framework you are using, infact you can read a java cookie in an ASP.NET app. only issue is when dealing with security cookies for which machinekey should be same. but for normal cookies it should work fine!

Vivek

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: 
Please add 7 and 2 and type the answer here: