Security :: Forms Authentication - Users Logged Out Before Cookie Expiration?
Jun 16, 2010
For some reason my users are logged out of the system every 10-15 minutes or so...regardless of the configuration below....am I missing something?
[code]....
View 1 Replies
Similar Messages:
Mar 28, 2011
we have a web based application that let users register, activate their account and then login to use the app...
it is very important that accounts must not be used simultaneously, so if user a is logged in using mynameisA/mypassword, no one else can login at the same time using the same credentials, until he logout.
this was achieved by using a cache mechanism that inserts an entry specific to that user and will keep on refreshing at each request, until the user logouts, where we remove that cache entry. on login, we check whether that cache entry is there in order to allow him in or throw a message saying that the user is already logged in... we use enterprise library 5.0 which we found more reliable than the asp.net cache, and for various other practical reasons.
now, this works fine, but the problem is that it seems like the authentication ticket and cookie doesnt slide properly at each request. so sometimes, users end up logged out because their authentication ticket got expired, and they cannot login again because the cache entry is still there.
here is the code in the sign-in page:
' if user credentials are valid, and other checks and validations...
[Code]....
here is the code that runs on every authenticated request (httpmodule):
[Code]....
and here is the web.config stuff:
[Code]....
we've done all kind of tests including metabase IIS6 monitoring. there is no apppool recycle happening...
checking the authentication cookie in firefox view cookies option shows that on each request, the expiration time of the authentication cookie is not sliding.
View 7 Replies
Aug 28, 2010
can u tell me how to automatically sign out a user if he/she closes the browser window without signing out. I'm using Forms Authentication.
View 1 Replies
Dec 13, 2010
We have had a bug recently where users are logging into an application with multiple browser tabs. They are editing a content page which means that they can be working on a page for sometime (ie with no postbacks) They finally click save and because the session has timed out it takes then to login page. I initally resolved they by adding a reminder that the session is about to expire which initally resolved the issue. It has been noted that even when they are within session time out they still got redirected to login page (and loosing the data on the form). We had real problems replicating the issue but have finally managed to do so now and I have learnt some curous features of .net Forms Authentication.
I have set up a test project which has the membership controls on etc. I have set the Timeout on the <forms> tag
<forms loginUrl="~/Account/Login.aspx" timeout="2" />Case 1I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 40 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It redirects me to the login pageI would expect it to allow me to navigate to as I have kept my session open on the right window.Case 2I then open two browsers windows (side by side), both on the login page (and logged out)On the left window I login (and start a timer)after 90 seconds on the right window I navigate to a page (which takes me to the page as I have logged in on left window )I then wait until the full 2 minutes has elapsed (but before 2 Minutes and 40 seconds) and then try and navigate to a page on the left window.It Navigates to the page keeping me logged in.After a bit of reading around the subject I have found out that the slidingexpiration property only renews the cookie if it is in the last 50% of the timeout value:
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed[URL]
My Question is: How can I override this bit of functionality?
Is there a property to set somewhere to "Always renew cookie"?
Is there another workaround. Unfortunately I can't increase the timeout because of a complience issue (it must be set to 15 minutes)
View 3 Replies
Jun 23, 2010
i used security in login page which restricts all users who have not logged in to all pages. I need to restrict specific users to specific pages. I'm not using AspSqlService provider. So i cannot create roles and restrict automatically. And the pictures i use in login page are not visible @ runtime.
View 1 Replies
Mar 17, 2011
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
View 1 Replies
Jan 21, 2010
I am having a problem with security in a web application I am building using Visual Web Developer 2008. I am using Forms Authentication:
<authentication mode="Forms">
<forms name=".MYAUTH" timeout="20" enableCrossAppRedirects="true" />
</authentication>
And a SQL Server database with ASP.NET Membership and Roles. I am using the LoginView control with the AnonymousTemplate and LoggedInTemplate to manage the user's interaction with logging in and out. The problem I am having is that I am authenticating the user against the database:
If Membership.ValidateUser(_userName, _txtLoginPass.Text)
Then returns True and:
FormsAuthentication.SetAuthCookie(_userName, False)
sets the cookie correctly:
FormsAuthentication.Decrypt(FormsAuthentication.GetAuthCookie(_userName, False).Values(0))
{System.Web.Security.FormsAuthenticationTicket} CookiePath: "/"
Expiration: #1/21/2010 1:42:27 PM#
Expired: False
IsPersistent: False
IssueDate: #1/21/2010 1:22:27 PM#
Name: "jaymo "
UserData: ""
Version: 2
but when I check
HttpContext.Current.User.Identity.IsAuthenticated it always returns False.
If done this before and it worked fine. I cannot find any mistake I might have made or where something might have changed between ASP.NET 2.0 and 3.5.
View 2 Replies
Feb 10, 2011
I know how to identify the current user during a specific browsing session and can thus control the data, etc, made visible to that individual user. I also know how to find out how many users logged in within the recent past, using:
Membership.GetNumberOfUsersOnline()
.... which I believe calculates the number of users who have logged in within the past 15 minutes. However, I would like to know if there is any way to identify all the users who are logged in at a point in time. Is this possible?
View 9 Replies
Mar 8, 2011
I am using ASP.Net Forms based security with the login control. On my site a user will make a number of selections that will be written to a database. Is their a unique user id that I can get from the AspNetSqlProvider that I can use to id users in my database? When a user logs back in after being away I want to be able to retireve the users information using this id.
View 7 Replies
Oct 26, 2010
I need something to secure my PDF files link ...
i have a page like http......../folder/userName.pdf
i need to to encrypt the file name ( i put it "login userName" ) ...
how do i let logged in users download their pdf files without knowing the URL above , for security reasons only ...
View 4 Replies
Jan 29, 2010
Do we know the algorithm that asp.net uses to create the authentication cookie (when using forms authentication?)
Can we basically create our own copy implementation? if so, how?
What does it use to generate the encrypted cookie value, I know it uses whatever you pass into the SetAuthCookie call (which is usually the userID/username).
View 2 Replies
Jul 2, 2010
I used [URL] as a guide and have something configured to show me the users which are logged into the system. This uses the aspnet_Users.LastActivityDate column to see when someone last did something on the system. It also uses the userIsOnlineTimeWindow within the web.config to determine whether a user is online or not.
But because of this userIsOnlineTimeWindow limitation of .NET, even when someone logs out of the system or closes their browser window, the system still sees them as being online. Also, if they are on a page and don't do anything for 10 minutes, the system will show them offline until they refresh their page or go to another page. know of a better, more real-time way to tracking users which are logged in, logged out, etc?
I don't want to wait 10 minutes for the system to show that a user is offline and also if there's 10 minutes of inactivity, it shows them being offline.
View 1 Replies
Dec 5, 2010
I have a site where the admin can log in to make changes to his content, but while making changes (using a specific asp.net control) with no page loads or callbacks while editing, the user is sometimes being logged out.
I want to increase the time it takes for the system to wait before logging-out inactive users.
I'm using the standard membership provider.
View 1 Replies
Mar 6, 2011
How do I keep the pages from time out when users are logged in?
View 3 Replies
Dec 28, 2010
i'm creating a cookie with an expiration of 12 hours from now. when i run my solution locally and go into C:Users..AppDataLocalMicrosoftWindowsTemporary Internet Files and look at the expires property of my cookie the date and time are correct. However, when I deploy this to our web server and go to the website i notice the cookie that got created for it has an expiration date of 2 years from now, minus a day. So the cookie should be set to expire on 12/29/2010 8:00 PM for example instead shows 12/28/2012 8:00 PM. Here's the code i'm using to create the cookie, pretty basic. And yes, the date on the web server is correct. I really want the cookie to expire in 12 hours, not 2 years.
[Code]....
View 6 Replies
Nov 6, 2010
I have a bunch of applications that currently share the authentication cookie in v3.5.
We're in the process of upgrading to 4.0 and also upgrading the applications as a whole. I have 1 done, and would love to deploy it. However, as soon as I do, I lose my sharing of authentication cookie in that application.
In each web.config, my machine key is declared. I removed the actual keys to protect the innocent. :)
<machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>
<authentication mode="Forms">
<!-- DEV Server -->
<forms enableCrossAppRedirects="true" loginUrl="Logon.aspx" name=".COOKIENAMEHERE" protection="All" path="/" slidingExpiration="true" timeout="1440"/>
</authentication>
View 1 Replies
Jul 6, 2010
My users need to stay logged in for 1 day, so I used a persistent authentication cookie with an expiration of 1 day but it still times out after 20 minutes (which is the default timeout for the session, not the cookie).
This is my code:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" />
</authentication>
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(1, "username", DateTime.Now, DateTime.Now.AddDays(1), true, "userdata");
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
I also have manually-generated validation and decryption keys:
<machineKey>
validationKey="......."
decryptionKey="......."
validation="SHA1"
</machineKey>
View 19 Replies
Feb 5, 2010
Once the user has authenticated, I would like to base all of the information displayed to the user based on their username. Isn't that saved in the cookie?
For instance, I would like to pull all of their client information using a GridView and have the parameter set to the appropriate authentication information.
View 4 Replies
Nov 1, 2010
I have a web application with a login form. A user enters a user name and password. If they exist in the database the user is authenticated using these two lines:
[Code]....
The problem is that when a user logs in at first he is logged in as himself. When navigating on the web application for a while the user assumes the identity of another logged in user. This happens all the time. In my web.config the authentication mode looks like this:
[Code]....
The site does not use ASP.NET session variables. Instead each page initializes a Singleton class, which stores itself in a static class variable, always accessing the users data already read from the database. The Singleton implementation is:
[Code]....
Could the problem with assuming another logged in users "session" be related to static classes in my application or a Forms Authentication configuration or a configuration in IIS (e.g. is it possible for users to have their own process?).
View 12 Replies
Sep 14, 2010
I have designed a navigation structure that is customisable from within my application and linked to the users role.
So I can restrict what menu items a user gets based on their role.
I have managed to do this quite well using SQL Tables and an ASP.Net Menu.
I can get it to only show the menuitems that are marked active and I have created an Stored procedure to get the menu items for a particular role.
Where I am struggling is getting the Logged On Users Roleid to pass it to the Stored Procedure.
I can get it using a regular aspx page but my menu is on my masterpage and I do not want to have to code it in each and every page.
I even tried to do it with a user-control but same happens. It seems that the User class is just not available when in a masterpage.
how I can pass the roleid from a Class or something or from the page to the masterpage?
View 2 Replies
Apr 11, 2010
I have a Login.aspx in my application.
After users logged in, if they press "back" in the browser, it goes to the Login.aspx page.
But I don't want to show users the Login.aspx page when they are logged in. how to restrict users to see the login.aspx page if they are logged in??
I am using sql role based membership provider and standard login control provided by Visual web developer 2008.
View 7 Replies
Feb 18, 2011
My requirements is when one other website call my service (httphandler) and in response i will provide one parameter which is
value of form authentication cookie
now that website call my website with that cookie value as query string , how to check from that cookie value that particular use is authenticated or not ?
View 3 Replies
Dec 6, 2010
is it possible to preserve authentication for ASP.NET Forms authentication cookie,btween Http and Https (different domains) and back?I mean haveing single signon for two domains say http://www.mydomain.com and https://members.mydomain.comI've seen on quite asp.net sites that have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.
View 1 Replies
Apr 1, 2010
In the web.config file i have put some code in so that when users log in they will be re-directed to another part of the website which only registered users can access. for the admin part only the admin can log in and it takes him to the admin section and that works fine. it is only this that is causing me problems.
the code i inserted for which the user needs to be diverted to is:
<location path ="UserLoggedInFindUs.aspx">
<system.web>
<authorization>
<deny users ="?"/>
[Code]....
View 11 Replies
Apr 2, 2010
In the web.config file i have put some code in so that when users log in they will be re-directed to another part of the website which only registered users can access. for the admin part only the admin can log in and it takes him to the admin section and that works fine. it is only this that is causing me problems.
the code i inserted for which the user needs to be diverted to is:
<location path ="UserLoggedInFindUs.aspx">
<system.web>
<authorization>
<deny users ="?"/>
[Code]....
View 2 Replies