[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Persistent cookie doesn't appear to be persistent

I have an ASP.NET 2005 web app using forms authentication.  I have a timeout of 30 minutes.  When I don't issue a persistent cookie, I get the expected behavior.  When I do issue a persistent cookie, it only remembers them if they're not inactive for a 30-minute interval.  Any thoughts?
0
stev0931
Asked:
stev0931
  • 7
  • 6
1 Solution
 
raterusCommented:
Nothing is wrong, it is working exactly as designed.  If you want them to stay active longer through the persistent option, you have to up the timeout value.
0
 
stev0931Author Commented:
With VS.NET 2003, when I issued a persistent cookie, it didn't expire according to the timeout.  The timeout only applied to when a cookie was not persistent.

Has this been changed with .NET 2005?  If so, how do I get it to behave like .NET 2003?  If not, what am I doing wrong?

Thanks!
0
 
raterusCommented:
If you really want this behavior, you'll have to create your own authentication cookie (which can get a little difficult).  I'm not sure what asp.net 1.x did, but I'm pretty sure it didn't create a cookie that never expires, in fact I don't believe that is possible since all persistent cookies must have an expiration date.

Any reason why the current behavior can't be matched to your needs by increasing the timeout?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
stev0931Author Commented:
If a person doesn't check that they want their password remembered (which issues a non-persistent cookie), their session should automatically expire after 30 minutes of inactivity.  But, if a person does check they want their password remembered (which issues a persistent cookie), they should not be logged off (regardless of inactivity).  

This behavior is very common on web sites, so I have to believe it is possible without significant effort in ASP.NET 2.0 (especially since this worked in ASP.NET 1.1)
0
 
raterusCommented:
Hmm..looks like Microsoft did change the behavior between 1.x and 2.0.  Before, a persistent cookie would last 50 years.  I don't see any settings currently to mimic the old behavior, but I'm not saying they don't exist.  My only suggestion at this point is you are going to have to create the authentication cookie yourself based on whether it is a persistent cookie or not.
0
 
stev0931Author Commented:
How do I do that?
0
 
raterusCommented:
Check out the FormsAuthenticationTicket Class,
http://msdn2.microsoft.com/en-US/library/system.web.security.formsauthenticationticket.aspx

There is example code here of what to do in your login page.  You will need to check if the user wants to "remember me", and if so, create a very long persistent cookie, otherwise, follow the set timeout in web.config.

Another thing to mention here is when you go this route, you must remember you can't use FormsAuthentication methods like "RedirectFromLoginPage" or "SetAuthCookie".  These methods will set the standard cookie overwriting what you've done.
0
 
stev0931Author Commented:
I've got it working fine using the link above when the cookie is issued non-persistently, but I can't get a persistent cookie to issue now (when I issue persistent, it isn't remembered when the user closes the browser and opens a new one up).  This is the code I'm using that doesn't work:

                Dim ticket As New FormsAuthenticationTicket(1, "63846", Date.Now, Date.Now.AddDays(365), true, "test111", FormsAuthentication.FormsCookiePath)
                Dim encTicket As String = FormsAuthentication.Encrypt(ticket)
                Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, encTicket))
                Response.Redirect(FormsAuthentication.GetRedirectUrl("63846", CheckBox1.Checked))

Any suggestions?
0
 
raterusCommented:
I see your problem,

The data in the FormsAuthenticationTicket needs to know when it expires (because a browser doesn't seen the expiration date back to the server).  You are setting this perfectly fine.

However, you still need to set the expiration date of the cookie itself, which you are not doing.  I think you just have to do this,

                Dim ticket As New FormsAuthenticationTicket(1, "63846", Date.Now, Date.Now.AddDays(365), true, "test111", FormsAuthentication.FormsCookiePath)
                Dim encTicket As String = FormsAuthentication.Encrypt(ticket)
                Dim c as HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
                c.Expires = Date.Now.AddDays(365)
                Response.Cookies.Add(c)
                Response.Redirect(FormsAuthentication.GetRedirectUrl("63846", CheckBox1.Checked))

Also, I'm pretty sure "FormsAuthentication.GetRedirectUrl" is going to mess up your cookie as well, I'd remove this in favor of Request.QueryString("RedirectURL")


0
 
stev0931Author Commented:
I just read something that said that if this is being stored in the URL and not in a cookie that it won't be persistent across sessions.  Is this the problem?  If so, how do I fix it?  Thanks!
0
 
stev0931Author Commented:
I didn't see your post before I submitted the above.  I'll give your post a try...
0
 
raterusCommented:
I looked it up, looks like you Can use GetRedirectUrl,
http://msdn2.microsoft.com/en-US/library/system.web.security.formsauthentication.getredirecturl.aspx

but if something isn't working, I'd try it the other way!
0
 
stev0931Author Commented:
It works perfectly!  Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now