What Happens When A HttpCookie Expiration Has Been Crossed
Mar 26, 2010
I am creating some cookies in my ASP.NET application. These cookies expire 10 minutes after they have been created. I follow the approach described on MSDN as shown here:[URL]
My question is, when a cookie "expires", what happens? Does the browser automatically delete the cookie? Is it our responsibility as developers to remove the cookies if they exist and have expired?
We are upgrading the asp.net 2.0 web application to asp.net 4.0.
The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain.
In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time.
After the up gradation process (ASP.NET 2.0 to 4.0),
We didn't run all three applications in same times and also form authentication crossed.
I'm fairly new so I've been learning via examples. The idea of this part of the project is to present a list of items (out of a DB), and when you click on an image that's on the list, it should open a new window with the details. this is the snippet where
A web site was developed and deployed to client. In some cases, I need to set the flag HttpCookie.HttpOnly = true. Okay - I have done it. Next question:
Is Cookie available after setting flag in JavaScript? or maybe some restriction when I am using JavaScript? or do I need to make some changes in existing JavaScript?
I'm creating an HttpCookie, setting only the name and value and not the expires property, then adding it to the response. Simple enough. The cookie is created (but not persisted) as expected. The problem is when the session changes for some reason (like the website was rebuilt, or I rebuilt my app when debugging) then the cookie stays around. I want the cookie to be valid for only the original session it was created on.
According to MSDN it says: "If you do not specify an expiration limit for the cookie, the cookie is not persisted to the client computer and it expires when the user session expires." I guess I don't know exactly what "session expires" encompasses. I figure the cookie gets deleted after 20 min when the session expires. But should the cookie get deleted if the session it was created on doesn't exist anymore for any number of reasons? The only time I've seen the cookie get deleted is when the user closes all browser windows and opens a new one.
If this is all true, I may have to store the original session id ("ASP.NET_SessionId") in the cookie, then check it against the current session id, if they're different, then delete the cookie or create a new one.
Here's the code (the only difference between my cookie and the one in the MSDN examples is I'm storing multiple values in the cookie):
private void SaveValuesToCookie(string[] names, string[] values) { HttpCookie cookie = new HttpCookie("MyCookie"); for (int i = 0; i < names.Length; i++) { string name = names[i]; cookie.Values[name] = values[i]; } Response.Cookies.Add(cookie); } private string GetValueFromCookie(string name) { HttpCookie cookie = Request.Cookies["MyCookie"]; if (cookie == null) return null; return cookie.Values[name]; }
I'm trying to write cookies from my website and I'm trying to figure out what implications timezones has over the HttpCookie.Expire property. Should I be passing DateTime.Now.AddDays(1) or DateTime.UtcNow.AddDays(1) or the users's timezone plus a day?
I have a web application developed using VB .Net 2003, and is running ASP Net 1.1.
The application is running fine on all browser, except for the login/authentication control that doesn't work properly on Chrome.
We have different types of users using the website, and each user type has different menu items displayed for.
The problem is, if a user logs on with let's say Admin account, and logs off and later logs on again using student account, the user still gets the Admin menu, and of course vice versa.
I'm not sure if I'm doing something wrong, or there is something I'm missing here.
On more thing, if the timeout period reached, and the session was timed out , and the user (regardless of the type) tries to log on again, he is successful on all browser except on Chrome again!, where it keeps telling the session was timed out, and never logs on again until clearing the cookies.
This has been a nagging issue for some time, but very sporadic and difficult to isolate.
From time to time, browsers that have authenticated on a web application, have been open for a while, have logged in and out of the same web application multiple times, have multiple tabs, are pretty much any browser (Chrome, IE, Firefox, Safari), and seemingly at random, lose their ability to retain an AuthCookie after being set and followed by a redirect. Closing the browser and starting a new session resolves the issue, as does opening up a different browser and attempting to authenticate.
Our team uses forms authentication for all of our websites and web application. This is a pretty typical setup where a login form is displayed, the user enters credentials and a cookie is set on the click event of the postback, then a redirect occurs to the same page where the cookie is then referenced and used to complete authentication.
In this situation
FormsAuthentication.FormsCookieName = ".WebAuth"
Within Event:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, Username, DateTime.Now, DateTime.Now.AddMinutes(SessionTimeout), false, Username); HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket)); Response.Cookies.Add(faCookie); Response.Redirect(Request.RawUrl, true); After the redirect, on PreInit: HttpCookie authCookie = Request.Cookies[cookieName];
At this point, the authCookie variable is typically not null, but in these isolated circumstances that I've outlined above, the cookie comes back null after the redirect.
This happens very randomly, sometimes weeks before affecting one of our developers. As I said, restarting the browser resolves the issue.
Today I had it happen on our dev server while using Chrome. I had logged into the application, allowed the application to session timeout, and then attempted to login again. The attempted login then failed to set the cookie. I remotely attached Visual Studio to the process on the server to begin debugging. The entire time I could step through my code, even deploy new code versions to the server with updates, restart the app, restart IIS on the server, attach and reattach to the project, and the issue persisted in Chrome. In Firefox, I was able to authenticate without issue.
From Chrome, the login would validate, attempt to set a Response Cookie as outlined above. Prior to redirect, I could see the properly set Response Cookie, as well as its counterpart in the Request Cookies. However, on each redirect after a seemingly successful login, the Response and Request Cookie are gone.
I enabled Trace on the application to view the cookie collection:
There is a .WebAuth in the Request Cookies Collection, as well as ASP.NET_SessionId and several ASPSESSIONIDxxxxxxxx, but when the page loads, only the ASP.NET_SessionId and ASPSESSIONIDxxxxxxxx cookies are available in the Request.Cookies scope, no sign of the .WebAuth. However, in the page's Trace information after render, there multiple .WebAuth cookies listed, it is just that the page seems to have no access to them.
Primarily, on a working version after authentication there is both a .WebAuth Response and Request Cookie in the page's Trace info. But on a non functioning browser window, the Response Cookie is absent.
Has anyone else had any experience with this? It is such a nagging issue, and so sporadic, but I would love to be able to resolve it. My concern is that it may be affecting users and we would have no knowledge since the description of the issue is so convoluted.
I have a site that is using Forms Auth. The client does not want the site session to expire at all for users. In the login page codebehind, the following code is used:
// user passed validation FormsAuthentication.Initialize(); // grab the user's roles out of the database String strRole = AssignRoles(UserName.Text); // creates forms auth ticket with expiration date of 100 years from now and make it persistent FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, UserName.Text, DateTime.Now, DateTime.Now.AddYears(100), true, strRole, FormsAuthentication.FormsCookiePath); // create a cookie and throw the ticket in there, set expiration date to 100 years from now HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(fat)) { Expires = DateTime.Now.AddYears(100) }; // add the cookie to the response queue Response.Cookies.Add(cookie); Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));
When I log into the site I do see the cookie correctly being sent to the browser and passed back up: However, when I walk away for 20 minutes or so, come back and try to do anything on the site, the login window reappears. This solution was working for a while on our servers - now it's back. The problem doesn't occur on my local dev box running Cassini in VS2008.
I'm creating image (jpg) at run time in my application (ASP.NET/C# 3.0). I need to delete the created image after 30 mins. So is it possible to set expiration to the image after 30 mins when creating the image like setting expiration to cookies.
I'm programatically sending an email and I want to set it to expire after a certain amount of time. I tried using the following but it doesn't seem to work:
message.Headers.Add("Expires", Now.AddMinutes(2))
I can see the value in the header but the email doesn't actually expire.
I am not sure if I am asking this question correctly. Sometimes when you don't know enough, you may not know what to ask. I want to set up memberships with an ASP.NET website. The memberships will have a 14 day free trial period. After that, the user will need to pay a fee if they wish to continue to access the website. I am not sure how to accomplish this. After adding a membership database to the website, setting up roles ect., what do I do next? Do I need to make adjustments to the tables of the database, or write some code somewhere in the application? I have never done this exercise before, Logically, I know that I need to implement something that keeps track of expiration date. Also, how do I prevent a user from just making up new user names and credentialing?
1) How/where do I set the lifetime of the session cookie in my web application when using an STS to get claims? From what I can tell, it seems I can only do this programmatically in the erviceConfigurationCreated event.
2) How/where can I make sure that the expiration is sliding?
How to realize auction expiration? Make it inactive after 1-3-5 days? Something like eBay?I am using asp.net c#.I have "active" boolean field in my auction table.
I've been doing web development for a while and have yet to read a good answer to this question: iven a page that executes transactions through a postback, how do you prevent the user from duplicating the transaction when they do something as simple as hit the back button? I've explored trying expire the cache but I must admit I'm lacking in my understanding of ASP.NET caching. What is the approach I should use to make the old request stale and invalid?
I have asp.net application. I'm using external javascript files in my application. When I test my site with page speed tool from google it says that following resources are missing a cache expiration. also some of the images and css files.
I am in need for setting content expiration to immediate for certain parts of my website. Basically we want to expire the "shopping" pages but the browsing pages shouldn't expire allowing users the ease of using the back button to browse around. Is there a way to enable it per page, master page, folder, or something?
am a ASP.NET developer using Facebook Developer Toolkit to develop a facebook flash application with flash developer.When the user plays the game for a certain period of time, there are chances that the facebook session expires and I can't call any Facebook API for processing as a result.
I don't know if the following is possible or not but in brief, here is what I'm trying to achieve:
1. When a user requests to view a document, they click on a link (could be other) which contains an encrypted query string containing data required to retrieve the relevant document. i.e.[URL]
2. I want to ensure that if after x minutes the user goes back to their history and select the link again or re-type the same url as above that it will not request the document and redirect them to a page letting them know that the requested document "link" is no longer valid.
I don't want to rely on cookies or sessions, so thought that maybe there would be a way to add a datetime token at the end of the existing url but this needs to be done at run-time as the url is already predefined when the link is created, so I'm not sure how can I do this?
ideally, I'd like something like this [URL] where the token would contain the date & time when the link was clicked.
Once re-requested, I would decrypt the token and validate it again the server time and if it was over the x minutes defined, it would redirect me to the "link is no longer valid" page.
I have a scenario in my application that I need to display session expiration time to the user. I set session expiration as 30 minutes in my application, 5 minutes before the session expiration, I need to show message to user that the session is going to expire.
How can I will do this implementation, I am using VS 2010 + MVC 2.0 + JQuery.
I want a specific session variable (in my case Session["level"]) to expire either on the normal 20 min. timer or at 19:30 every day. Because I change a value in my database everyday at 19:30 and I want this session variable to be related to that value. Is this possible?