This has been asked many times, but I'm not getting the answer - or not seeing how it applies to me.

I have a site that displays information from a desktop application based in MS Access.  Authorized users are sotred in a table within the desktop app.  I cannot alter, copy or suplicate that MS Access table.

Site users will often login in the morning and leave the site open all day to monitor changes, similar to how I use Outlook - I open it once, and check it periodically throughout the day.  These are high-ranking users and I cannot keep logging them off and forcing them to log in again every thirty minutes, or whatever, and expect to ever again get a pay raise.

I also have lower-ranking users who do not have full access rights, and therefore, do not and cannot log in.

The problems are: (1) I cannot use the same timeout settings in the web.config for both types of users, (2) I will not use membership, roles or anything else other than the existing custopm database, (3) I cannot find an explanation for how I can set a separate timeout period for logged-in users from that used for a visitor, and (4) I cannot write a custom provider method -- this has to be a system that can be distributed, installed and maintained by people with lesser or few programming skills.

I HATE (are you listening Asp.Net Team?) the changes in Net 2.0 authentication that have been forced on us!  Excellent for new development and as horrible as it gets for porting existing sites to Net 2.0.

Does anyone have hints, tips, or references for how I can set a persistent cookie through a custom database?

Tinker

T. R. Tinker:

Site users will often login in the morning and leave the site open all day to monitor changes, similar to how I use Outlook - I open it once, and check it periodically throughout the day.  These are high-ranking users and I cannot keep logging them off and forcing them to log in again every thirty minutes, or whatever, and expect to ever again get a pay raise.

Hi

Base on my understanding, you want to "remember" authenticated user when they have logged in and leave the site open. However, you don't want to increase the timeout value of authentication cookie. So I suggest you have a hidden frame on your page. refresh every 10 minutes. This will postpone expire date as long as IE window is open. If user close the browser, mean he/she is not active and need to re-login when next time open the site. Hope it helps

Thank you.  What I am trying to do is set an expiration date/time for the authentication ticket when a user asks for a persistent cookie that is different than timeout that is set in the web.config.

In the web config, I want ot set non-persistent cookie to expire in 15 minutes, but set persistent cookies to expire in 72 hours.

Scott Guthrie talks about one way to do this at http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx, however, setting authentication tickets for both persistent and non-persistent cookies to one week (or more or less) is not the right answer for this "problem".

One suggestion found here in the forums (and in many other places on the WWW) uses code something like this:

   if (Login1.RememberMeSet) {
       FormsAuthenticationTicket authTicket = new
           FormsAuthenticationTicket(user.Id.ToString(), true);
       string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
       HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
       cookie.Expires = authTicket.Expiration;
       HttpContext.Current.Response.Cookies.Set(cookie);
       Response.Redirect(FormsAuthentication.GetRedirectUrl(user.Id.ToString(),false), true);
       }
   else {
       FormsAuthentication.SetAuthCookie(user.Id.ToString(), false);
       FormsAuthentication.RedirectFromLoginPage(user.Id.ToString(), false);
       }

This, however, does not set a unique expiration date for the persistent cookie, it uses the setting in the web.config file.

So I was looking for a way to set a unique expiration date/time for persistent cookies without recurrent banging on the server.  Thank you for your suggestion; it would certainly work, but it's not the solution I am trying to find.

Tinker

T. R. Tinker:

FormsAuthenticationTicket authTicket = new
           FormsAuthenticationTicket(user.Id.ToString(), true);
       string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
       HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
       cookie.Expires = authTicket.Expiration;
       HttpContext.Current.Response.Cookies.Set(cookie);
       Response.Redirect(FormsAuthentication.GetRedirectUrl(user.Id.ToString(),false), true);

Hmm, what about manually set a cookie as authentication ticket like the following article does.

http://geekswithblogs.net/vivek/archive/2006/10/13/93956.aspx

Here is my steps

1, I only set 10 minutes for authentication timeout in web.config (will manually override this setting by code)

---------------web.config--------------

 <forms timeout="10" loginUrl="login.aspx"></forms>  

2. Use this code manualy set timeout to 30 minutes

        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket("MyUserName", true, 30); //should be same as cookie expiration

        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

        authCookie.Expires = DateTime.Now.AddMinutes(30);//make sure its same as the formsauthentication ticket expiry value

        HttpContext.Current.Response.Cookies.Add(authCookie);

        Response.Redirect("default.aspx");

3. Then check if user is still authenticated within 30 minuste. Look forward to your reply

4, BTW: I test the above code without Login control in page.

This is it!  A small change to better fit what I needed, and it sets the persistent cookie for three days, no-persistent for 30 minutes:

Thank you, very much.  Now I can stop beating my head against a wall.

Tinker

I'm glad the above solution helps,

Have a good day :)