All geek questions in one place

Validity of FormsAuthenticationTicket

I searched the Internet and found many odd answers, and I tried almost all of them. My problem is this. My login page contains:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(min), persistCookie, userid.ToString()); string encTicket = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); cookie.Expires = ticket.Expiration; Response.Cookies.Add(cookie); FormsAuthentication.RedirectFromLoginPage(userName, persistCookie);

Now the min value is specified for each user and can be set individually, therefore persistCookie.

Once I understand, this code should make it possible to override the default values ​​in web.config. It should be 30 minutes.

 <authentication mode="Forms"> <forms loginUrl="~/Default/default.aspx" defaultUrl="~/User/UserMain.aspx"/> </authentication>

min is 120, and persistCookie is set too correctly. When I log in, I get a timeout after 30 minutes. (There is no session, so the expiration date is set, because if it has not been set, the cookie must be based on the session, also I do not get 120 minutes, which is the type of transaction here)

My question, to simplify it, is how to get the value of "min" as the cookie expiration date?

This might turn out to be too simple a task, but at present I am completely stuck, so any help would be fixed.

EDIT: I changed the login logic:

 FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(min), persistCookie, userid.ToString()); string encTicket = FormsAuthentication.Encrypt(fat); Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket) { Expires = fat.Expiration }); Response.Redirect(FormsAuthentication.GetRedirectUrl(userName, false));

And now it works. But I can’t understand why this will work, not the previous one. Creating a ticket is the same, the only difference is that I add the Expires HttpCookie property when creating the HttpCookie, and not after creating the object.

If anyone has a good explanation, I'm all ears! :)

+4
source share
2 answers

The problem with your code is that you call RedirectFromLoginPage , which will create a forms authentication cookie by overwriting the cookie you just created:

 HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); cookie.Expires = ticket.Expiration; Response.Cookies.Add(cookie); FormsAuthentication.RedirectFromLoginPage(userName, persistCookie); <-- creates a new cookie

The cookie created by RedirectFromLoginPage will, of course, have a default timeout taken from the configuration.

Your second version is the way to go.

+5
source

I think you don’t understand the difference between the expiration of a cookie and the expiration dates of a ticket - the ticket can be considered expired even if the cookie that it stores is still valid. The 4th parameter of the FormsAuthenticationTicket constructor is responsible for the expiration date of the ticket.

So, to answer your question, you need to manually set the expiration date of your cookie or make it long enough to exceed the validity period of your ID ticket.

+2
source

Source: https://habr.com/ru/post/1414581/

More articles:


All Articles