2

I am working with ASP.NET MVC 4 (NET Framework 4.0)

For a reason I do not understand, my user remains logged-in even after the browser or/and application restart. To take this further, even after a total computer restart, which means the authentification cookie/ticket is persisting. I do not want to use cookieless attribute in my Web.config as I do not want to have the cookie stored in the URL for security and SEO issues.

I don't understand why is this happening, I have set the authentification cookie not to persist in the FormsAuthentication.SetAuthCookie() method.

This is my login action, isValid(username, password) is a custom method that checks if the username and password match in the model. db is my database context.

    [AllowAnonymous]
    [HttpPost]
    public ActionResult LogIn(Employe user)
    {
        if (ModelState.IsValid)
        {
            if (IsValid(user.username, user.password))
            {
                FormsAuthentication.SetAuthCookie(user.username, false);
                Employe currentEmp = db.Employes.SingleOrDefault(emp => emp.username == user.username);
                Session["currentUser"] = currentEmp;
                return RedirectToAction("Index", "Home");
            }
            else
            {
                ModelState.AddModelError("", "Login Data Incorrect!");
            }
        }
        return View();
    }

This is my Web.config

<authentication mode="Forms">
      <forms loginUrl="~/Account/Login" protection="All" timeout="2880" />
</authentication>
Ahmed Aboumalek
  • 613
  • 4
  • 21
  • It could be that browser stores credentials. If so, there is nothing you can do about it. – Win Oct 17 '18 at 22:41
  • 1
    I have tried it with two different browsers, Firefox developper and Chrome, same behavior. – Ahmed Aboumalek Oct 17 '18 at 22:44
  • 1
    I managed to find a workaround however I would ike to understand the reason behind the problem, so I will hold off on that for now. – Ahmed Aboumalek Oct 17 '18 at 23:01
  • Hope you would find the solution here. https://stackoverflow.com/questions/7586469/how-can-i-handle-forms-authentication-timeout-exceptions-in-asp-net – Mike Oct 18 '18 at 03:36

1 Answers1

0

If you are using Form Authentication mode, there is a situation to control both Form Authentication expiration and Custom Session expiration. That would probably make your application happen the issue. Hope you would find the solution here How can I handle forms authentication timeout exceptions in ASP.NET?

Mike
  • 721
  • 7
  • 13
  • That is not the problem. The issue is not adjusting session or authentication ticket timeout, it is understanding why it persists eventhough I set it explicitly not to. – Ahmed Aboumalek Oct 18 '18 at 11:02