2

I have setup my first login system and have followed:

https://stackoverflow.com/a/10524305

To store some additional data without having to make multiple trips to the database.

The issue I am having is that when the cookie/ticket expires, the user is still seen to be authenticated?

For example:

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];

authCookie is null, but 

HttpContext.Current.User.Identity.IsAuthenticated

Continues to return true.

Is there a way to force a log out if the cookie has expired?

Thanks!

Community
  • 1
  • 1
Elliott
  • 41
  • 4

1 Answers1

0

You could try to replace

HttpContext.Current.User.Identity.IsAuthenticated

with

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); 
if(authTicket.Expired) (...)

But this does not explain why HttpContext.Current.User.Identity.IsAuthenticated is still set to true. I would firstly make sure that my forms authentication and session expiration is set to the same value in the configuration file:

<authentication mode="Forms">

<forms cookieless="UseCookies"
             //some configuration + 
             timeout="20">

</forms>

</authentication>

<sessionState mode="InProc" cookieless="false" timeout="20" />
Paweł Bejger
  • 6,176
  • 21
  • 26
  • Think iv solved it, there are two separate cookies. One for the logged in user and one for the extra data. I had set an expiry on one but not the other. – Elliott Jan 23 '14 at 13:34