Cookies, sessions and timeouts

[Thomas Scheiderich]

Just when you figure out one problem another one shows up.

I am trying to set up authentication for one of my folders and can't seem to
get it to work as advertised (I am sure I am missing something).

I want to set it up as sessionless. If I can't get that to work, I would
like to get the Timeout period to work correctly.

Here is my web.config file:

*************************************************
<configuration>
<system.web>
<sessionState cookieless="true" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name="SECAUTH" loginUrl="vdw/password.aspx" protection="None"
timeout="1">
<credentials />
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
*************************************************

I have cookieless set to true (no cookies) and the timeout set to 1 minute.
The program not only is creating cookies, but apparently when I look at when
it expires - it is in 2054 (50 years from now).

What is going on here?

How can I set it to drop the cookie when the browser ends? That would work
also.

Thanks,

Tom.

 

[Thomas Scheiderich]

How long ago did you make the change to your web.config? Often changes

you've immediately made are not evidenced until you either recycle their
application pool [if on a windows 2003 box] or kill the .net process their
app is running under [if on windows 2000 box] or delete the .net temp files
previously placed in the microsoft .net temporary files directory.
Actually I did this 2 days ago, and I just started my computer and didn't
get the login page (when I delete the cookie, however, I will).

Where is the .net temporary files folder located?

Also are you coding in .NET 1.0 or .NET 1.1? Do you have a url where I can

replicate your problem?

Where do I find this? I am not sure which we are running?

I don't really have a URL to check as this is an intranet.


Here is some of the pages and the URL we are getting, instead of the logon
page:

Here is the web.config file in my Contour folder (root)

<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_Contour_Server_openworx"
value="sqlserver.htm" />
<add key="MM_CONNECTION_STRING_Contour_Server_openworx" value="Persist
Security Info=False;Data Source=Raptor;Initial Catalog=openworx;User
ID=tfs;Password=tfstom;Network Library =dbmssocn" />
<add key="MM_CONNECTION_DATABASETYPE_Contour_Server_openworx"
value="SQLServer" />
<add key="MM_CONNECTION_SCHEMA_Contour_Server_openworx" value="" />
<add key="MM_CONNECTION_CATALOG_Contour_Server_openworx" value="" />
<add key="MM_CONNECTION_HANDLER_Contour_Server" value="sqlserver.htm" />
<add key="MM_CONNECTION_STRING_Contour_Server" value="Persist Security
Info=False;Data Source=Raptor;Initial Catalog=VDW;User
ID=tfs;Password=tfstom;Network Library =dbmssocn" />
<add key="MM_CONNECTION_DATABASETYPE_Contour_Server" value="SQLServer" />
<add key="MM_CONNECTION_SCHEMA_Contour_Server" value="" />
<add key="MM_CONNECTION_CATALOG_Contour_Server" value="" />
</appSettings>
<system.web>
<sessionState cookieless="true" timeout="5" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name="SECAUTH" loginUrl="vdw/password.aspx" protection="None"
timeout="1">
<credentials />
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

Here is the web.config file in my VDW folder (under the Contour folder).

<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

Here is the web page I get that should go to the Login page, but doesn't. I
am curious what the (3oyjlp55x3lom5egc04sp045) is all about - it is not a
folder.

http://192.168.122.55/contour/(3oyjlp55x3lom5egc04sp045)/VDW/VDWXferStatus.a
spx

This is the cookie that never gets deleted. When I delete it, I get the
login page, and the cookie is back (even though I have this set as
cookieless in my web.config file in the root) and never goes away.

[email protected][1].txt

Here is the cookie contents.

SECAUTH
515A4809B01E43840174006600500061007300730077006F00720064002E00760061006C0075
006500000070179B202A59C40101709761B48167FC0100002F000000
192.168.122.55/
1536
3022544640
33318785
547494992
29645098
*

Here is the results from my web page that looks at the cookie You'll notice
the expiration date of 2054 as well as the persistant value..

tfPassword.value
Cookie Path: /

Expiration: 6/23/2054 6:58:14 AM

Expired: False

IsPersistent: True

IssueDate: 6/23/2004 6:58:14 AM

UserData:

Version: 1


Here is the web page I that gave me this result (you'll notice there is no
name being displayed).

Sub Page_Load
Dim objUserIdentity As FormsIdentity
Dim objTicket As FormsAuthenticationTicket

If User.Identity.IsAuthenticated Then
objUserIdentity = User.Identity
objTicket = objUserIdentity.Ticket
lblName.Text = objUserIdentity.Name
lblPath.Text = objTicket.CookiePath
lblExpiration.Text = objTicket.Expiration
lblExpired.Text = objTicket.Expired
lblIsPersistent.Text = objTicket.IsPersistent
lblIssueDate.Text = objTicket.IssueDate
lblUserData.Text = objTicket.UserData
lblVersion.Text = objTicket.Version
Else
lblName.Text = "Who Are You?"
End If
End Sub

</Script>

<html>
<head><title>FormsIdentity.aspx</title>
<body>

<asp:Label
ID="lblName"
Font-Size="18pt"
Font-Bold="True"
Runat="Server" />
<p>
Cookie Path:
<asp:Label
ID="lblPath"
Font-Size="18pt"
Font-Bold="True"
Runat="Server" />
<p>
Expiration:
<asp:Label
ID="lblExpiration"
Runat="Server" />
<p>
Expired:
<asp:Label
ID="lblExpired"
Runat="Server" />
<p>
IsPersistent:
<asp:Label
ID="lblIsPersistent"
Runat="Server" />
<p>
IssueDate:
<asp:Label
ID="lblIssueDate"
Runat="Server" />
<p>
UserData:
<asp:Label
ID="lblUserData"
Runat="Server" />
<p>
Version:
<asp:Label
ID="lblVersion"
Runat="Server" />

</body>
</html>

Thanks,

Tom