Forms Login Page Not Login Out

H

Hermit Dave

i have seen that behavior (to a certain extent) on local machine but once i
put it on my host it does behave...

the behavior i noticed was that if you logged in using forms authentication
and didnot explicitly signout.. ie invalidating the cookie.. . you can still
open a new browser window and you can go straight through... but only for
the period of time where the ticket is valid... ( the session is again
dependant on browser instance.. so i will have a new session)

ie i explicity create forms ticket and i specify a valid till time of 30
mins...

session is a different story all togather... session is not bound by forms
authentication rather by itself it based on whether it receives any request
from client... 20 mins i think is the default timeout... so you can still
hav a valid cookie but can have new session if you log in and not use you
site for 25 mins.. and then start browsing again...

they are two different things (session and authentication) and dont confuse
them.... when you design you app just be sure that you know how exactly it
behaves.
 
K

Kenneth Keeley

Hi,
I have a web app that has forms authentication and I can login to the
page the first time I go there but it never times me out if I come back in
24 hours a hit the refresh key the page loads and I am still logged in. My
session details are gone but I am still logged.

These are the settings I am using are they right or do I need to change
them?
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="login.aspx"
protection="Validation" timeout="20" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>


Thanks for the Help
Kenneth
 
H

Hermit Dave

should be alright.. its always worth a try...

here's the code... copying it from my post a few days back...

Here's bit of forms authentication from my project

// Register.aspx.cs - register and log user the first time

private void btnRegister_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UserDetail myUser = new UserDetail();
myUser.Email = txtEmail.Text;
myUser.PasswordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,
"md5");
UsersDB myUserDB = new UsersDB();

bool UserAdded = myUserDB.SetUserInfo(ref myUser);
if(UserAdded == false)
{
lblUserExists.Visible = true;
return;
}
else
{
LoggedUserInfo myUserInfo = myUserDB.GetRoles(myUser.Email,
myUser.PasswordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, false);
// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
}
}
}

----------------------------------------------------------------------------
------------------
// Security.cs containing Security Class // used to set the authentication
ticket and cookie
public static void SetUserInfo(LoggedUserInfo myUser, bool persistant)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(
1, // Ticket Version
myUser.UserID + ", " + myUser.Name, // UserName associated with the
ticket
DateTime.Now, // Date time issued
DateTime.Now.AddMinutes(30), // date time to expire
persistant, // cookie persistance
myUser.Role, // user data
FormsAuthentication.FormsCookiePath // cookie path configured
);
// Encrypt the cookie using machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);


// set cookie's expiration time to ticket's expiration time
if(ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
HttpContext.Current.Response.Cookies.Add(cookie);
}

----------------------------------------------------------------------------
---------------------
// Login.aspx - Log user in
private void btnLogin_Click(object sender, System.EventArgs e)
{
if(Page.IsValid)
{
FormsAuthentication.Initialize();
UsersDB myUser = new UsersDB();

string email, passwordHash;
email = txtEmail.Text;
passwordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,
"md5");
LoggedUserInfo myUserInfo = myUser.GetRoles(email, passwordHash);
if(myUserInfo.Role != null && myUserInfo.Role != "")
{
Security.SetUserInfo(myUserInfo, chkRememberMe.Checked);

// Redirect to the requested URL
string returnURL;
if(ViewState["returnURL"] != null)
returnURL = (string)ViewState["returnURL"];
else
returnURL = "/";

Response.Redirect(returnURL);
}
else
{
lblErrorMsg.Text = "UserName / Password Incorrect Please try again.";
}
}

}

----------------------------------------------------------------------------
---------------------------------
// Web.config file
// under configuration >> system.web
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
timeout = "30"
slidingExpiration="true"
protection="All"
path="/" />
</authentication>

----------------------------------------------------------------------------
----------------------------------
// Last but not the least....
// Global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if(HttpContext.Current.User != null)
{
if(HttpContext.Current.User.Identity.IsAuthenticated)
{
if(HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
----------------------------------------------------------------------------
--------

i can access my user info using
HttpContext.Current.User
can validate whether user is in a particular role or what his name is or his
id is.

hope this helps... know its a long post but didnt have an option...
 
K

Kenneth Keeley

Hi,

Hermit Dave said:
i have seen that behavior (to a certain extent) on local machine but once i
put it on my host it does behave...
Click to expand...
So do you think that Mine will be ok?
ie i explicity create forms ticket and i specify a valid till time of 30
mins...
Click to expand...
How did you do that.

Thanks
 
K

Kenneth Keeley

Hi,
Thanks for the sample, But I found it hard to understand and have not been
able to get it to work. I use VB.Net and an SQL database for the user
accounts, Could you help me to make your sample work with this
configuration.

Thanks
Kenneth
 
H

Hermit Dave

Kenneth,

I will try and do some VB.NET code but might take some time as i dont
normally use VB.NET
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Forms Authentication Redirecting to Login 1
Forms timeout doesn't appear to be working. 1
Recyling of sessionID in ASP.NET 2.0 6
Forms Authentication: How to distinguish between Idle-Session-Timeout and un-authenticated request? 5
One client can't login to our site 6
Multiple sessions and forms-based authentication 2
Remember me in Login control. 1
Multiple sessions and forms-based authentication 5

Top