home » blogs » vivek_iit » FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0?

FormsAuthentication Persistent Cookies Crippled in ASP.NET 2.0?

change text size: A A A

posted 3/12/2007 by vivek_iit

I was answering a query related to FormsAuthentication in ASP.NET 2.0 and got to know that the persistent cookies behavior has been changed in 2.0, means that they take the "timeout" value from the web.config file (even if we manually set the cookies expiry time). The documentation in MSDN(http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx) is also incorrect in my opinion, which says that persistent cookies do not time out. Infact they do and take the value from the web.config timeout attribute (whereas in ASP.NET 1.1 the persistent cookie had a long timeout of around 50  years and did not take the web.config timeout value into account). Here is the code I used:

 




public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
     {
        string Username = "vivekT";
       if (TextBox1.Text == "a") 
       {
           HttpCookie cookie = FormsAuthentication.GetAuthCookie(Username, true); 
           //true is used to create a persistent cookie 
           cookie.Expires = DateTime.Now.AddMonths(3);
           //DOESNT WORK in 2.0 as value is taken from "timeout" attribute in the config file
           Response.Cookies.Add(cookie);
           Response.Redirect(FormsAuthentication.GetRedirectUrl(Username, true));
           //redirect to the originally requested page
        } 
    }
 }//end class

Also, even if I use FormsAuthentication.RedirectFromLoginPage(Username, true) which should have created a persistent cookie, the behavior is not as expected. The timout value from web.config is again “enforced“ making sure that truly persistent cookies become a thing of the past.

I went through another post and realized that this new behavior has "crippled" the "Remember me" check-box functionality as we cannot have persistent as well as non-persistent cookies having different timeouts in ASP.NET 2.0, besides weakening the non-persistent security as mentioned in the same post.

Am I missing something here or has ASP.NET 2.0 really crippled itself?

UPDATED

Thanks to another discussion on the forums I got to know that in ASP.NET 2.0, you need to manually set the FormsAuthenticationTicket's expiration to create a peristsent cookie. See the code below:

 FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(Username, true, 1439200); //should be same as cookie expiration

string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);


authCookie.Expires = DateTime.Now.AddMonths(3);
//make sure its same as the formsauthentication ticket expiry value


HttpContext.Current.Response.Cookies.Add(authCookie);


Response.Redirect("default.aspx");
To rate this blog entry please  register or login

Author

vivek_iit vivek_iit (Member since: 11/27/2008)
I am one of the administrators at CodeAsp.Net and I love programming, architecting solutions, code reviews, teaching and writing about ASP.NET.

View vivek_iit 's profile

Comments (no comments yet)

Post a comment

Comment (No HTML)  

Type the characters:
 *
 
   

Join CodeAsp.Net for FREE Today!

It's fast, easy and free! Submit articles, get your own blog, ask questions & give answers in the forums, and become a better developer, faster.

enter your email address:

Blogs RSS Feed

vivek_iit's latest blog posts

  • Dictionary vs Hashtable vs ListDictionary vs HybridDictionary
    7/22/2009
    Hastables are deprecated now because with .NET 2.0 and above the Dictionary class is introduced which is much more efficient because it does not need to box or unbox data while adding/retrieiving items. ListDictionary should be used when the number of items are small (usually less than 10). Else if you are sure that your list will have more items, than use Dictionary. If you are not sure about the number of items, then use a HybridDictionary .
  • Caching in ASP.NET: Velocity Distributed caching Framework
    7/16/2009
    Many beginner developers do not realize how effcient caching mechanisms can play a big role in increasing application performance. Most developers are accustomed to using the default In-Proc session state, or the Cache object to store the application related data. While such in-built caching mechanisms will work perfectly fine for most applications which do not need to scale to higher levels, it is always better to go for scalable caching options if your application might grow (both in terms of ...
  • SQL server install error:One or more of the components being installed are already registered as 32 bit components in the target application.
    7/15/2009
    Recently I got this error while installing SQL Server 2005 64 bit on a machine where previously SQL Server 2005 32 bit was installed: Failed to install and configure assemblies C:\Program Files\Microsoft SQL Server\90\DTS\Tasks\Microsoft.SqlServer.MSMQTask.dll in the COM+ catalog. Error: -xxxxx Error message: Unknown error xxxx Error description: One or more of the components being installed are already registered as 32 bit components in the target application. You must install the 64 bit versio...
  • Abstract classes vs interfaces c#
    7/9/2009
    When should you use Abstract classes for implementing dynamic polymorphism? and when Interfaces are your best option? Most beginners tend to get confused between Abstract classes and Interfaces, so here is a quick primer: In Abstract classes you can use "abstract" keyword to mark methods which *must* to be implemented in derived classes, and use the "virtual" keyword to create some concrete methods which can be overridden in derived classes. So Abstract classes allow you to create method signatu...
  • You must first install one of the qualified Visual Studio editions
    6/26/2009
    Today I was installing MS Visio Enterprise Architect and got this error the moment the installer started to load: "You must first install one of the qualified Visual Studio editions". Considering that I have already installed Visual Studio 2008 Architectecture Edition, this error was very frustrating...after searching Google I noticed this post which mentioend that the Visio installer looks for either VS 2005 or VS 2003 editions in the registry before proceeding ahead with the install. The post ...
Blogs RSS Feed

Latest community blog posts

  • Fetching Data from Database and Populating fields in the Form using LINQ to SQL
    2 hours, 38 minutes ago
    In my previous example I have demonstrated how to create a simple form that would allow users to insert data to the database using L2S. In this example I’m going to demonstrate how to fetch and filter data from database and fill the fields in the form using L2S.  This example is basically a continuation of my previous example here . So I would suggest you to take a look at my previous example first before you proceed reading this example. Continue...
  • Inserting Data to Database using LINQ to SQL
    2 hours, 39 minutes ago
    Few months ago, I’ve created a simple demo about “Creating a Simple Registration Form using the ADO.NET way ”. In this article, I'm going to demonstrate how to create a simple form that would allows users to insert data to the database using L2S.   As an overview, LINQ to SQL is a technology that allow you to query sql server. LINQ to SQL is an O/RM (object relational mapping) implementation that ships in the .NET Framework "Orcas" release, and which allows you to model a relatio...
  • Learning ASP.NET: Where to Begin?
    3/1/2010
    I often see questions at forums(http://forums.asp.net ) asking stuffs like: Where to begin? Where Do I start? How to Get Started? So I deciced to write this "boring " post to express my opinion and hopefully this can help beginners find their way to get started with ASP.NET. Based on my experience learning ASP.NET is just like learning how to play a guitar.. (oh really? why could I say that? ).(1) First you must have this what we called "interest " because if you d...
  • Pluralsight On-Demand Training library
    3/1/2010
    Pluralsight is an online .NET Training library which provides online training materials for .NET developers. Example trainings available on demand: ·  .NET 3.5 ·  Agile Team Practices ·  ASP.NET 3.5 ·  ASP.NET AJAX ·  ASP.NET MVC ·  BizTalk 2006 ·  BizTalk Server 2006 R2    ·  BizTalk Server 2009 ·  iPhone ASP.NET ·  LINQ ·  Managed Services Engine ·  Silverlight 3 ·  SharePoint Services ·  SQL Server 2008    ·  VSTS ·  WCF ·  Windows Server AppFabric, formerly "Dubli...
  • NEW DATA TYPES IN SQL SERVER 2008
    2/17/2010
    • Date and Time: Four new date and time data types have been added, making working with time much easier than it ever has in the past. They include: DATE, TIME, DATETIME2, and DATETIMEOFFSET. • Spatial: Two new spatial data types have been added--GEOMETRY and GEOGRAPHY-- which you can use to natively store  and manipulate location-based information, such as Global Positioning System (GPS) data. • HIERARCHYID: The HIERARCHYID data type is used to enable database applications to m...