stackoom
  简体   繁体   中英

Authentication Cookie in asp.net

 原文  2012-09-11 08:16:25       asp.net/ cookies/ login/ forms-authentication

Question

I'm using forms authentication in asp.net.i have set my Authenticate cookie expiration to 60 mins,Session time out to 60 mins in web.config, time out in web.config to 60 mins and also in iis idle time out to 60 mins 

    <authentication mode="Forms">
        <forms loginUrl="~/Account/Login.aspx" timeout="60" defaultUrl="~/Landing.aspx" slidingExpiration="true"/>
    </authentication>
    <system.web>
        <sessionState timeout="60" mode="InProc"/>
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
     2,                             // Version number
     txtUserName.Text.Trim(),      // Username
     DateTime.Now,                  // Issue date
     DateTime.Now.AddMinutes(60), // Expiration date
     false,                         // Persistent?
     userData                 // User data
     );

since i'm using forms authentication if the user is idle for 60 mins user should be redirected to login page after 60 mins.but i need to know what will happen if user is not idle for 60 mins.does the authenticate cookie will expire? despite the fact that user is still authenticated?

EDIT

i missed one more thing i have set Application Pool Identity in IIS to Network Service

2 answers

solution1
 2  2012-09-11 08:35:01

Yes the user will still expire, and he/she will not be authorized to use resources available on the server. You are using Forms Authentication Cookie, which is a simple container for the FormsAuthentication Ticket.

Because your ticket is non-persistent, this will cause your "cookie" to expire which will redirect the user to the LOGIN PAGE. Note this handles "authentication" only, and not to be confused with Session.

You may have Session "expire", but the user is still authenticated, and that could be a problem.

So to answer your question directly, the "User authentication" will expire, and he/she will be redirected to Login page, to which a new cookie will be created on Login, that will create another "Session" object. Overtime the previous one will expire.

Advice: Make Forms Timeout in "Web.config" smaller than Session. Don't build a dependency on Session for any Auth/Security related; the two are different containers and should be treated as such.

solution2
 0  

Better you read the links below. It'll be faster for you. take a look at slidingExpiration

The expiration is refreshed on each request before half time of expiration.

Understanding the Forms Authentication Ticket and Cookie and forms Element

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cookie and Authentication -ASP.net ASP.NET Authentication cookie Secure Authentication cookie Asp.Net ASP.NET Forms Authentication Cookie Asp.net vNext Cookie Authentication ASP.NET OWIN Custom Cookie Authentication Custom ASP.NET Core Cookie Authentication ASP.NET Site Authentication Cookie sharing Emulate ASP.NET authentication cookie ASP.NET issues an expired authentication Cookie
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM