Loading ...

FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0?

 /5
0 (0votes)

I was answering a query related to FormsAuthentication in ASP.NET 2.0 and got to know that the persistent cookies behavior has been changed in 2.0, means that they take the "timeout" value from the web.config file (even if we manually set the cookies expiry time). The documentation in MSDN(http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx) is also incorrect in my opinion, which says that persistent cookies do not time out. Infact they do and take the value from the web.config timeout attribute (whereas in ASP.NET 1.1 the persistent cookie had a long timeout of around 50  years and did not take the web.config timeout value into account). Here is the code I used:

public partial class Login : System.Web.UI.Page
{
   
protected void Page_Load(object sender, EventArgs e)
     {
        string Username = "vivekT";
       if (TextBox1.Text == "a")
       {
           HttpCookie cookie = FormsAuthentication.GetAuthCookie(Username, true); //true is used to create a persistent cookie 
           cookie.Expires = DateTime.Now.AddMonths(3); //DOESNT WORK in 2.0 as value is taken from "timeout" attribute in the config file
           Response.Cookies.Add(cookie);
           Response.Redirect(
FormsAuthentication.GetRedirectUrl(Username, true));//redirect to the originally requested page
        }
    }
 }
//end class

Also, even if I use FormsAuthentication.RedirectFromLoginPage(Username, true) which should have created a persistent cookie, the behavior is not as expected. The timout value from web.config is again “enforced“ making sure that truly persistent cookies become a thing of the past.

I went through another post and realized that this new behavior has "crippled" the "Remember me" check-box functionality as we cannot have persistent as well as non-persistent cookies having different timeouts in ASP.NET 2.0, besides weakening the non-persistent security as mentioned in the same post.

Am I missing something here or has ASP.NET 2.0 really crippled itself?

UPDATED

Thanks to another discussion on the forums I got to know that in ASP.NET 2.0, you need to manually set the FormsAuthenticationTicket's expiration to create a peristsent cookie. See the code below:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(Username, true, 1439200); //should be same as cookie expiration

string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

authCookie.Expires = DateTime.Now.AddMonths(3);//make sure its same as the formsauthentication ticket expiry value

HttpContext.Current.Response.Cookies.Add(authCookie);

Response.Redirect("default.aspx");

Comments (2)

   
Matt
Attribute 'onclick' is not a valid attribute of element 'Label'.

FAIL
7/20/2009
 · 
by
   
Vinz
Basically Label doesn't have a server OnClick event that's why Visual Studio gives you that warning message..But we can attach a javascript onclick event to it... Once it will render in the page then the javascript will recognize that event and execute the event...
7/20/2009
 · 
by

Top Posts