stackoom
  简体   繁体   中英

FormsAuthentication class c#

 原文  2009-06-18 03:03:41       c#/ asp.net/ forms-authentication

Question

If I call FormsAuthentication.SetAuthCookie("john", true), is the users name stored in the cookie?

What I'm trying to find out is if the users session times out and then the user revisit the site again, Request.IsAuthenticated is set to true, but where is the users name coming from?

3 answers

solution1
 3  2009-06-18 03:10:45

Session timeout and authentication timeout are two separate things. You can have sessions time out without invalidating the authentication.

Yes, the user's name is stored in the authentication cookie. It is encrypted, however.

solution2
 1  2009-06-18 03:13:10

You can use your browser to examine the content of your cookies. For example my stack over flow cookie looks like:

F650CE82F53D2C39C8C06B5F26EB34E20FEAC3585035E2A6E9FA30B8ECF5051F4D9C8....

The value is an encrypted goo of a username and potentially the user roles.

The cookie is good as long as you want it to be. It isn't tied to the session.

In your sample code you created a persistent cookie, so it lives for the life of the cookie, even if you close your browser. Now if the cookie is memory based, it lasts until you close your browser, even if the expiration time would let it live longer.

Here are the default values: 

<forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />

solution3
 0  2009-06-18 03:11:40

As from this MSDN page it sets forms-authentication ticket to either cookies or in URL if CookiesSupported is set false.

When you set second argument as true, the cookie is persistent so when user visits second time (after session timesout) your app gets the cookie with auth-ticket and so it get the user details (as far as I think).

If you don't want to make this happen I think either setting the second argument to false: 

FormsAuthentication.SetAuthCookie("john", false);

or explicitly clearing the ticket (and so cookie): 

FormsAuthentication.SignOut();

will work for you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question C# WebClient FormsAuthentication C# Winforms Application and FormsAuthentication c# FormsAuthentication signOut another user C# Consume WebService authenticated via FormsAuthentication Method Getting information from the cookie made by FormsAuthentication.RedirectFromLoginPage in C# Password hashing in a C# Windows app, absent ASP.NET's FormsAuthentication? C# Formsauthentication timeout in web.config overrules manual ticket timeout? PHP class to C# class? Dictionary C# with class C# class serializing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM