Security :: Forms Authentication Is Not Updating The Cookie?

Dec 13, 2010

We have had a bug recently where users are logging into an application with multiple browser tabs. They are editing a content page which means that they can be working on a page for sometime (ie with no postbacks) They finally click save and because the session has timed out it takes then to login page. I initally resolved they by adding a reminder that the session is about to expire which initally resolved the issue. It has been noted that even when they are within session time out they still got redirected to login page (and loosing the data on the form). We had real problems replicating the issue but have finally managed to do so now and I have learnt some curous features of .net Forms Authentication.

I have set up a test project which has the membership controls on etc. I have set the Timeout on the <forms> tag

<forms loginUrl="~/Account/Login.aspx" timeout="2" />Case 1I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 40 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It redirects me to the login pageI would expect it to allow me to navigate to as I have kept my session open on the right window.Case 2I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 90 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It Navigates to the page keeping me logged in.After a bit of reading around the subject I have found out that the slidingexpiration property only renews the cookie if it is in the last 50% of the timeout value:
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed[URL]

My Question is: How can I override this bit of functionality?

Is there a property to set somewhere to "Always renew cookie"?

Is there another workaround. Unfortunately I can't increase the timeout because of a complience issue (it must be set to 15 minutes)

View 3 Replies


Similar Messages:

Security :: Forms Authentication - Users Logged Out Before Cookie Expiration?

Jun 16, 2010

For some reason my users are logged out of the system every 10-15 minutes or so...regardless of the configuration below....am I missing something?

[code]....

View 1 Replies

Security :: Forms Authentication Cookie Not Changing Current User Identity

Jan 21, 2010

I am having a problem with security in a web application I am building using Visual Web Developer 2008. I am using Forms Authentication:

<authentication mode="Forms">
<forms name=".MYAUTH" timeout="20" enableCrossAppRedirects="true" />
</authentication>

And a SQL Server database with ASP.NET Membership and Roles. I am using the LoginView control with the AnonymousTemplate and LoggedInTemplate to manage the user's interaction with logging in and out. The problem I am having is that I am authenticating the user against the database:

If Membership.ValidateUser(_userName, _txtLoginPass.Text)
Then returns True and:
FormsAuthentication.SetAuthCookie(_userName, False)
sets the cookie correctly:
FormsAuthentication.Decrypt(FormsAuthentication.GetAuthCookie(_userName, False).Values(0))
{System.Web.Security.FormsAuthenticationTicket} CookiePath: "/"
Expiration: #1/21/2010 1:42:27 PM#
Expired: False
IsPersistent: False
IssueDate: #1/21/2010 1:22:27 PM#
Name: "jaymo "
UserData: ""
Version: 2
but when I check
HttpContext.Current.User.Identity.IsAuthenticated it always returns False.
If done this before and it worked fine. I cannot find any mistake I might have made or where something might have changed between ASP.NET 2.0 and 3.5.

View 2 Replies

Security - How To Create An Authentication Cookie

Jan 29, 2010

Do we know the algorithm that asp.net uses to create the authentication cookie (when using forms authentication?)

Can we basically create our own copy implementation? if so, how?

What does it use to generate the encrypted cookie value, I know it uses whatever you pass into the SetAuthCookie call (which is usually the userID/username).

View 2 Replies

Security :: Share Authentication Cookie Between V3.5 And V4.0 Applications

Nov 6, 2010

I have a bunch of applications that currently share the authentication cookie in v3.5.

We're in the process of upgrading to 4.0 and also upgrading the applications as a whole. I have 1 done, and would love to deploy it. However, as soon as I do, I lose my sharing of authentication cookie in that application.

In each web.config, my machine key is declared. I removed the actual keys to protect the innocent. :)

<machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>
<authentication mode="Forms">
<!-- DEV Server -->
<forms enableCrossAppRedirects="true" loginUrl="Logon.aspx" name=".COOKIENAMEHERE" protection="All" path="/" slidingExpiration="true" timeout="1440"/>
</authentication>

View 1 Replies

Security :: Authentication Cookie Expires Too Early?

Jul 6, 2010

My users need to stay logged in for 1 day, so I used a persistent authentication cookie with an expiration of 1 day but it still times out after 20 minutes (which is the default timeout for the session, not the cookie).

This is my code:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" />
</authentication>
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(1, "username", DateTime.Now, DateTime.Now.AddDays(1), true, "userdata");
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);

I also have manually-generated validation and decryption keys:

<machineKey>
validationKey="......."
decryptionKey="......."
validation="SHA1"
</machineKey>

View 19 Replies

Security :: Retrieve UserName From Authentication Cookie

Feb 5, 2010

Once the user has authenticated, I would like to base all of the information displayed to the user based on their username. Isn't that saved in the cookie?

For instance, I would like to pull all of their client information using a GridView and have the parameter set to the appropriate authentication information.

View 4 Replies

Security :: Manually Check Form Authentication Cookie Value?

Feb 18, 2011

My requirements is when one other website call my service (httphandler) and in response i will provide one parameter which is

value of form authentication cookie

now that website call my website with that cookie value as query string , how to check from that cookie value that particular use is authenticated or not ?

View 3 Replies

Security :: Keep Authentication Cookie Between Http And Https On Two Different Domain?

Dec 6, 2010

is it possible to preserve authentication for ASP.NET Forms authentication cookie,btween Http and Https (different domains) and back?I mean haveing single signon for two domains say http://www.mydomain.com and https://members.mydomain.comI've seen on quite asp.net sites that have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.

View 1 Replies

Security :: Finding Membership Authentication And ASPXAUTH Cookie Size

Oct 31, 2010

Without reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".

I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.

----- BACKGROUND AND RESEARCH -----

I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.

Issues:

In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).

In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...

Message=@PropValue : String truncation: max=256, len=264 ...

I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.

[code]....

View 1 Replies

Security :: Authentication Cookie Persistance To True On A Aspx Website?

Aug 26, 2010

authentication cookie persistance to true on a aspx website,this works great.now I have made an affiliate website (HTML + iframe (same aspx)) and it does not keep my user logged in after closing browser.

View 1 Replies

Security :: How To Implement Form Authentication Using Cookie Shared By Mulitple Domains

Feb 18, 2011

My requirement is multiple domains (not subdomains) share cookie of form authentication

how to implement same?

View 2 Replies

State Management :: Updating Cookie / Change The Value In A Cookie?

May 10, 2010

I want to change the value in a cookie:
HttpCookie hc = new HttpCookie("HiddenColumns");
hc.Value = customView.HiddenFields;
hc.Expires = DateTime.Now.AddDays(365);
Response.SetCookie(hc);

Or this way:

Response.Cookies["HiddenColumns"].Value = customView.HiddenFields;;
Response.Cookies["HiddenColumns"].Expires = DateTime.Now.AddDays(365);

But when I retrieve the cookie value, it is still old, unless I do postback. I don't want to use Redirect.

View 2 Replies

Ssl - How To Preserve Authentication For Forms Authentication Cookie

Aug 19, 2010

We have a non-SSL ASP.NET web app that allows a user to login (ASP forms authentication, inproc).

Once authenticated, we redirect their browser to an external, SSL secured page on another web site / domain altogether that we do not control.

The client is redirected back to a pre-configured url on our original http web app when done.

However, the customer is then asked to "re-login" again on our side which is undesired...

It seems the forms authentication cookie is destroyed when transitioning between HTTP and HTTPS and back again.

How can I keep the forms authentication cookie alive so that the customer does not have to re-authenticate on the round trip?

View 2 Replies

C# - How To Customize The Forms Authentication Cookie Name

Sep 2, 2010

I have 2 websites running on localhost in different ports. As browsers do not differentiate port numbers when sending cookies, my forms authentication ticket from one site is being sent to the other

How do I solve this? I thought that a good solution would be to change the forms authentication ticket or one of the websites but I don't know how to do this.

View 1 Replies

AJAX :: PageMethods - Forms Authentication Cookie Not Always Sent?

Oct 26, 2010

Since last week I've had a really odd issue with PageMethods, the forms authentication cookie, and the back button which i've never seen before.

Essentially, I have a 'home page' which on document.ready (using jQuery), loads some data through PageMethods, and then renders a list - from which you can click through to a details page about the item. In general use, it works fine. However, using the back button after clicking through (ie: going back to the home page), it throws a PageMethods error. The browser's 'authentication required' prompt appears, and if you click cancel, the server returns a 401. The error returned by PageMethods on the client side is 'authentication failed'.

After inspecting the request in Fiddler, the forms authentication cookie isn't sent with the request, which would explain why it is happening. My fiddler entry for the request looks like this:

[Code]....

View 1 Replies

Forms Authentication - What Is The Content Of FormsAuthentication Cookie Value

May 21, 2010

What is the content of ASP.NET FormsAuthentication cookie value? How can I see the real value of the hashed string (in case that I have the decrypted key)?

View 1 Replies

MVC :: Forms Authentication User.Identity.IsAuthenticated And Cookie?

Feb 9, 2010

I am using forms authentication and have an issue with a particular browser using the remember me feature. For various reasons I want to support the opera browser that works with the nintendo dsi. I can use forms authentication with that browser just fine but when I use the remember me (cookie) feature I can get through the login but then calls to User.Identity.IsAuthenticated return false. If I do not check remember me it works fine. Initially I thought the browser didn't support cookies but it does. At least I can go to m.gmail.com and check their version of remember me and it works. I can exit the browser and come back in and m.gmail.com remembers me. Also I don't have problems with remember me on any other browser I have tried.

Is anyone aware of some specific browser issue that doesn't work with asp.net forms authentication? I am using asp.net mvc but I doubt that matters.

View 3 Replies

Forms Authentication Cookie Not Expiring On Server Shutdown / Failure?

Jan 5, 2011

Here is a use case of my login using a CustomMembershipProvider

User Logs in MembershipProvider validates user account User property of Membership is set to user details coming from the database An authentication ticket is created Forms authentication cookie is added. User is logged in

Here is a use case of my problem Stop whe web development server Start the web development server, and user is still logged in (due to cookie?) User property Membership is set to null due to server restart/failure Application throws exception due to null user value

The only solution I could think off is to clear all cookies on Application_Start() but I don't know how is that even possible as Request is out of context during application start.

Here is the code:

[Code].....

View 2 Replies

IIS Configuration :: Membership Forms Authentication Cookie Clears On Application Pool Recycle

Jan 28, 2013

I use Form Based Authentication in my siteIn my login page I have:

FormsAuthentication.SetAuthCookie(user.userName, true)

View 1 Replies

MVC Authentication Cookie Not Being Retrieved

Jun 7, 2010

I am having a hard time implementing "Remember Me" functionality in an MVC application with a custom principal. I have boiled it down to ASP.NET not retrieving the authentication cookie for me. I have included a snaphot below from Google Chrome.

Shows the results of Request.Cookies that is set within the controller action and placed in ViewData for the view to read. Notice that it is missing the .ASPXAUTH cookie Shows the results from the Chrome developer tools. You can see that .ASPXAUTH is included here.

Does anyone know what the issue may be here? Why does ASP.NET not read this value from the cookie collection?

My application uses a custom IPrincipal. BusinessPrincipalBase is a CSLA object that ust implements IPrincipal. Here is the code for that:

[Code]....

I do not think that any of this is related because the bottom line is that the Request.Cookies does not return the authentication cookie. Is it related to the size of the cookie? I heard there are issues to the size of the cookie.

UPDATE: It seems that the issue revolves around subdomains. This site was being hosted with a subdomain and the cookie domain was left blank. Does anyone have any pointers on how I can get the auth cookie to work with all domains (e.g. http://mydomain.com, http://www.mydomain.com, and http://sub.mydomain.com)?

View 3 Replies

Forms Authentication - .NET Updating The FormsAuthenticationTicket?

Sep 21, 2010

when a user logins into my site i create the following authenticate ticket:

// Create the authentication ticket
var authTicket = new FormsAuthenticationTicket(1, // Version
userName, // Username [code]...

The problem i have is that if an administrator changes a user's role or time zone then the next time they return to the site their ticket is not updated (if they selected remember me when logging in).Here's my authentication settings incase it helps:

<authentication mode="Forms">
<forms timeout="10080" slidingExpiration="true" />
</authentication>
<membership userIsOnlineTimeWindow="15" />

I've been reading up on slidingExpiration but as far as i can tell it only increases the expiration time and doesn't renew the contents of the cookie.

View 1 Replies

Authentication Cookie Timout And IIS 7 Setting?

Jun 11, 2010

I have an ASP.NET website for which i've set the authetication timeout to 60 days so that my users don't have to log in each time they come back if they checked the "remember me" option. Basic ASP.NET login mechanism... It's working fine on my developpement server as well as on the visual studio built-in web server. I can close the browser, wait around 30-40 minutes and browse back to the site and be automatically logged in.

However, I've not moved the site to a hosting provider and it seems that whatever I do to my Web.config file, the cookie expires after around 30 minutes (hard to tell the exact amount of time). I have asked the provider's help support and they basically told me: "Web.config file is to configure your website. Please do not change it if you don't know what you are doing"Frustrating answer indeed... be sure, I checked everywhere on the net for exceptions, fine prints, in the basic asp.net authentication but found none.I have access to IIS remote management for my site (IIS 7) but don't really know where to look. Can there be something in the IIS setting that is overriding my web.config authentication setting?

View 1 Replies

State Management :: Creating Cookie With Client Scripting And Updating From Server Side?

Aug 9, 2010

cookies are generated from the client scripting.e.g. document.cookie = city=NYC;

I want to update this from GUI using

Response.cookies["city"] = LA;

I could not understand why this is not possible.( I read about Httponly and all that stuff but still not clear).If I use Javascript in code behind page then I am able to change the value.e.g.

Literal ltMsgUpdate = new Literal();
ltMsgUpdate.Text = "<script type='text/javascript'>document.cookie = 'city=LA';" + "</script>";
Page.Controls.Add(ltMsgUpdate);

But I could not use this type of code because there is response.redirect statement in the function where I am updating cookie using (response.cookie) and that's why the javascript code never runs.

Bottomline: I want to update cookies in code behind page which is generated in client scripting.

View 4 Replies

ASPXAUTH Authentication Cookie Not Cleared On Sign/log Out

Dec 8, 2010

I'm using ASP authentication and the integrated webservice.

The user logins in with Forms authentication on a login page.

To log out, I call the authentication webservice from Silverlight and call logout.

Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.

I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.

So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.

I checked and didn't see any other description of the issue.

I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved