Security

Re: Problem with Persistent Cookies

mike beal — Sun, 06 May 2007 16:48:20 GMT

I just caught this issue myself wth a site I'm rolling out next week. I was wondering if 'persistent cookies' has more to do with the IE browser settings (particularly IE 7) the users are using rather than anthing wrong we are doing with out cookies or logon controls. I'm looking through those crytic settings now in my browser.

Has anyone persued this line of thought? I am using the login control and although it appears I've set it correctly to persist the cookie it doesn't last any longer than the session length.

Re: Problem with Persistent Cookies

sanchita_ind — Mon, 09 Apr 2007 15:51:16 GMT

Cody21:
Has ANYONE actually got this to work? I think there's some other issue going on that I can't quite put my finger on. I modifed my web.confgi file and in the FORMS section, added the TIMEOUT=500000 value. It;s almost like the Sesson State is overriding the FORMS AUTH value. That is, after around 20 mins, I get TIMED OUT and am forced to re-LOGIN. .... I check and my COOKIE for FORMS AUTH is still there. It's behaving like it's not even checking the cookie that i set.

Some more background - in case it makes a difference. I do NOT require login authentication for the root of my site (www.cityswingsf.com) ... I only force the authentication when you hit a sub-folder of my site that is for Members only. So I have a separate web.config file that uses Roles Mgt for those secured pages ... But like I said, after they login - even with the REMEMBER ME selected - after some time, or even after a browser recycle, it seems to ignore the cookie...

Anyone else??? (Oh, and I currently have cookies DISABLED due to this problem until I can get something that works!)

Well in my case Forms authentication timeout value is picked up and not Session State's timeout. But the problem being that both persistent and non persistent would pick up the same timeout value. Microsoft has put the persistent cookie's lifetime as configurable but how come both would pick up the same timeout. So we will be forcing a user to remain logged in even if he doesn't check the "Remember Me" checkbox...

I am aware of the "Session Variables lost" problem. Thanks for that input.

Regards,

Sanchita

Re: Problem with Persistent Cookies

XiaoYong Dai – MSFT — Wed, 28 Mar 2007 08:32:10 GMT

I guess that it's because resource recycling,

See our KB article and you'll know in general http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316148

Hope it helps

Re: Problem with Persistent Cookies

Cody21 — Mon, 26 Mar 2007 21:43:42 GMT

Has ANYONE actually got this to work? I think there's some other issue going on that I can't quite put my finger on. I modifed my web.confgi file and in the FORMS section, added the TIMEOUT=500000 value. It;s almost like the Sesson State is overriding the FORMS AUTH value. That is, after around 20 mins, I get TIMED OUT and am forced to re-LOGIN. .... I check and my COOKIE for FORMS AUTH is still there. It's behaving like it's not even checking the cookie that i set.

Some more background - in case it makes a difference. I do NOT require login authentication for the root of my site (www.cityswingsf.com) ... I only force the authentication when you hit a sub-folder of my site that is for Members only. So I have a separate web.config file that uses Roles Mgt for those secured pages ... But like I said, after they login - even with the REMEMBER ME selected - after some time, or even after a browser recycle, it seems to ignore the cookie...

Anyone else??? (Oh, and I currently have cookies DISABLED due to this problem until I can get something that works!)

Re: Problem with Persistent Cookies

sanchita_ind — Mon, 26 Mar 2007 20:53:16 GMT

coupla links which discuss this issue -

http://www.dotnetnuke.com/Community/BlogsDotNetNuke/tabid/825/rssid/28/Default.aspx

http://pluralsight.com/blogs/keith/archive/2006/05/24/25023.aspx?Pending=true

looks like the persistent cookie's lifetime depends on the form's timeout value in web.config... so we will have to increase that till days n weeks..

sanchita

Re: Problem with Persistent Cookies

sanchita_ind — Sun, 25 Mar 2007 04:18:12 GMT

ok so my understanding to this problem now is that i can try modifying the web.config n set the timeout to weeks etc..

n yes u r rite this is not tht a big a thing, wch we shud b wasting our time on..

neways if you hear of anything keep posting..

Re: Problem with Persistent Cookies

Cody21 — Sat, 24 Mar 2007 16:35:24 GMT

sanchita_ind:

Hello everyone,

I am having a problem with persistent cookies. Even after setting "CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie" I'm somehow being logged out after the specifed timeout provided in "forms" element of web.config.

I read somewhere that persistent cookies take their timeout from the timeout attribute on the forms authentcation node. If I have to enter a timeout of days/weeks then it doesnt really make sense to make my cookie persist in this fashion, that defies the purpose of persistent cookies.

Any insights are welcome

Thanks

Sanchita

yea, i have been dealing with the exact same issue for like 3 weeks now since developing my new site. I am using the LOGIN control in EWD (or VS2005 for that matter). Quite honestly, i don't understand why this is so difficult to implement. I really believe that Microsoft needs to document the specific steps & requirements to allow a LOGIN to remain LOGGED IN for some controlled (by web.config) length of time regardless whether a user shuts down their browser or not. I am using MySql as well. I have seen all kinds of different suggestions on how to fix this -- from writing our own code to managing our own cookies, etc.. If anyone knows how to successfully set web.config items - whether using Roles/Membership providers -- or WHATEVER - I think many many of us would benefit. Based on this FORUM, there are many of us struggling with this LOGIN control for ASP.NET 2.0

Re: Problem with Persistent Cookies

sanchita_ind — Sat, 24 Mar 2007 14:52:03 GMT

hey thanks 4 the reply..

well that post was informative but didnt help that much on my issue cos i dont think we use RoleManager in our config..

the problem is with asp.net 2.0 i feel as i feel the Form's timeout value in web.config is the one who's responsible for persisting cookies.. If you know anything else please share..

Re: Problem with Persistent Cookies

upgView — Sat, 24 Mar 2007 11:07:01 GMT

Take a look here http://forums.asp.net/thread/1555817.aspx

Hope that helps.

Problem with Persistent Cookies

sanchita_ind — Fri, 23 Mar 2007 22:02:04 GMT

Hello everyone,

I am having a problem with persistent cookies. Even after setting "CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie" I'm somehow being logged out after the specifed timeout provided in "forms" element of web.config.

I read somewhere that persistent cookies take their timeout from the timeout attribute on the forms authentcation node. If I have to enter a timeout of days/weeks then it doesnt really make sense to make my cookie persist in this fashion, that defies the purpose of persistent cookies.

Any insights are welcome

Thanks

Sanchita