Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
267 views
in Technique[技术] by (71.8m points)

c# - Cookie Confusion with FormsAuthentication.SetAuthCookie() Method

So there are lots of posts on StackOverflow regarding this, but I still was unable to solve my exact problem. Here's the gist:

I have a website that requires authentication. I am using the standard .NET FormsAuthentication.SetAuthCookie() method to persist the user's session.

My question is this: In the web.config file, there is a timeout attribute to the "/system.web/authentication/forms" node. If I set this value to say, 30 minutes, is this the time of user inactivity the user can have before their session expires?

The reason I ask is that no matter what I set this value to, if I set persistence to true in SetAuthCookie(), the expiration on the cookie set is 90 minutes. If I set persistence to false in SetAuthCookie(), the cookie expiration is set to "end of session".

What is that "Timeout" attribute value actually setting, and how can I get a persistent cookie that lasts a month or a year or longer?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.

This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.

You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.

You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).

Another important thing to remember is the parameter slidingExpiration:

<authentication mode="Forms">
    <forms loginUrl="~/Partner/LogOn" defaultUrl="~/Home/Index" 
           timeout="30" slidingExpiration="true" />
</authentication>

if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.

What you can do - and what I've done - is to write your own cookie like this:

 FormsAuthenticationTicket authTicket = new
     FormsAuthenticationTicket(1, //version
     userName, // user name
     DateTime.Now,             //creation
     DateTime.Now.AddMinutes(30), //Expiration (you can set it to 1 month
     true,  //Persistent
     userData); // additional informations

Update

I've implemented this routine cause I want to store my groups in an encrypted cookie:

Dim authTicket As System.Web.Security.FormsAuthenticationTicket = _
        New System.Web.Security.FormsAuthenticationTicket( _
            1, _
            UserName, _
            Now, _
            Now.AddYears(100), _
            createPersistentCookie, _
            UserData)

Dim encryptedTicket As String = System.Web.Security.FormsAuthentication.Encrypt(authTicket)

Dim authCookie As HttpCookie = New HttpCookie( _
    System.Web.Security.FormsAuthentication.FormsCookieName, _
    encryptedTicket)

If (createPersistentCookie) Then
    authCookie.Expires = authTicket.Expiration
End If

Response.Cookies.Add(authCookie)

As you can see I've set the expiration of the authentication cookie and the authentication ticket with the same timeout (only when persisted).

Another thing that I've tried is to stored username and password in the encrypted cookie. Everytime a masterpage is loaded I check My.Profile.Current.IsAuthenticated to see if the authentication is still valid. If not I read the cookie again, get the username and password, and check it on the DB:

Public Function ReadCookieAuthentication(ByVal Context As System.Web.HttpContext) As Security.CookieAuth

    Dim CookieUserData = New Security.CookieAuth()

    Dim cookieName As String = System.Web.Security.FormsAuthentication.FormsCookieName
    Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)

    If (Not (authCookie Is Nothing)) Then
        Dim authTicket As System.Web.Security.FormsAuthenticationTicket = Nothing
        Try
            authTicket = System.Web.Security.FormsAuthentication.Decrypt(authCookie.Value)
            If (Not (authTicket Is Nothing)) Then
                If (authTicket.UserData IsNot Nothing) AndAlso Not String.IsNullOrEmpty(authTicket.UserData) Then
                    CookieUserData = New JavaScriptSerializer().Deserialize(Of Security.CookieAuth)(authTicket.UserData.ToString)
                End If
                CookieUserData.UserName = authTicket.Name
            End If
        Catch ex As Exception
            ' Do nothing.
        End Try
    End If

    Return (CookieUserData)

End Function

Security.CookieAuth is an object I've created to return username and password.
CookieUserData is the storage (I save in json format) where I put my password and groups.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...