1

I'm trying to establish some authentication timeout expiration checking, and I'm noticing something a little strange. When the authentication period is still valid, the following code will give me a cookie:

HttpCookie authCookie = context.Request.Cookies[".ASPXAUTH"]; // .ASPXAUTH name defined in web.config

But when the authentication period has expired, the cookie is no longer in the Cookies array, and my result is null. I'm trying to build a FormsAuthenticationTicket object from the cookie, to be able to check the expired property. Like this:

FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

// check if previously authenticated session is now dead
if (authTicket != null && authTicket.Expired)
{
    // send a Response indicating that they've expired.
}

But if the cookie goes away once the authentication period has expired, I can't even get that far. So is there something I'm doing wrong, or is that cookie not supposed to be there? And if not, how am I supposed to build a ticket to even check the Expired property?

Thanks very much.

Matt
  • 23,363
  • 39
  • 111
  • 152
  • Dual Post: http://stackoverflow.com/questions/4490650/asp-net-why-is-formsauthenticationticket-null-after-authentication-timeout/4491304#4491304 – gbs Dec 20 '10 at 16:04

2 Answers2

0

The cookie has an expiration timeout value that you can specify in the configuration file. There isn't much warning about when the cookie expires; you could build a process that checks upon every request to see which request it expired on.

However, factor in the element too, which may require a valid user (not anonymous), so without the cookie you may get kicked out.

Read more about it here: http://support.microsoft.com/kb/910443

Brian Mains
  • 50,520
  • 35
  • 148
  • 257
0

If isPersistent is set to false on the FormsAuthenticationTicket then a persistent cookie is not set. When the ticket expires the cookie is not sent with the request, therefore you cannot access it.

Les
  • 3,150
  • 4
  • 29
  • 41