Usually I have:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
timeout="30"
slidingExpiration="true"
</authentication>
which (IMHO) means that the cookie expires after 30 minutes of inactivity - sliding expiration means that any activity sets the cookie's expiry time back to 30 minutes.
Now I have the requirement that I would like the cookie to be stored indefinately, unless the user logs out explicitly. This means, that even if the browser is closed and reopened and the user goes to a side that requires authentication, no login is required. Is this possible?
What you describe sounds equivalent to forcing the remember me checkbox to always be checked. To achieve that, go to your your Login action, and do the following:
FormsAuthentication.SetAuthCookie(username, true);
use SetAuthCookie method. SetAuthCookie
FormsAuthentication.SetAuthCookie(UserID, false); // not persisting cookie accross the browser session.
FormsAuthentication.SignOut().// for signout
Related
I have a ASP.NET Web Form Single Page Application.
It uses Form Security and System.Web.Security.SqlMembershipProvider
The authentication is configured like this:
<authentication mode="Forms">
<forms name=".ASPXFRM" protection="All" timeout="120" loginUrl="~/Authdentication.aspx" />
</authentication>
This application is a Point Of Sale. As of now, all employees in the store use the same username/password to login.
Now, we need to add more security into the application.
The ideal situation would be that.
In the morning, cashier #1 and cashier #2 log in using their username and password.
After some time of inactivity, the app locks.
Then, cashier #1 or #2 enters his PIN (5 digit code) different from its password to unlock the app (and auto"magicly") reauthenticate..
Any suggestion, experience with this scenario?
Question:
How can I have multiple user use the same application on the same computer in the same browser window without having to logoff/loggin each time. Behind the scene could occur the logoff / login process but I want the process to be quick and easy for the user.
If the idea of using password to login while pin to unlock is to maintain session even when account is locked due to in activity then perhaps you should use different values for forms and session timeouts. For example
<authentication mode="Forms">
<forms name=".ASPXFRM" protection="All" timeout="15" loginUrl="~/Authdentication.aspx" />
</authentication>
<sessionState mode="InProc" timeout="60"/>
This should force you authenticate every 15 minutes you stay inactive but session won't be lost for an hour.
For testing purpose I want to set session timeout to 1 minute - is it possible?
I have defined timeout as 1 minute in web.config, but it is not working (I heard default timeout is 20 minutes so minimum 20?)
<sessionState mode="StateServer" cookieless="false" timeout="1"/>
Yes, you can set it to less than 20 minutes. Default 20 doesn't means minimum 20 .
Also, you used <sessionState> element of Web.config, so set it as:
<sessionState mode="StateServer" cookieless="false" timeout="1" />
Check this forum on asp.net : http://forums.asp.net/t/1725273.aspx/1
A session starts every time a new user hits the website, regardless of whether or not they are anonymous. Authentication has very little to do with Session.
Authentication timeout is the amount of time that the authentication cookie is good for on the user's browser. Once the cookie expires, they must re-authenticate to access protected resources on the site.
So, if Session times out before the Authentication cookie - they are still authenticated, but all their session variables disappear, and may cause errors in your website if you are not disciplined in checking for nulls and other conditions brought about by missing session.
If Authentication times out before the session, then all their session variables will still exist, but they won't be able to access protected resources until they log back in again.
Check this url. It may helpful
http://www.aspdotnet-suresh.com/2010/10/session-timeout-problem-in-aspnet.html
set <sessionState mode="StateServer" cookieless="false" timeout="1" />
I have an asp.net webforms application. My root web config has the following entries:
<forms loginUrl="Login.aspx" protection="All" timeout="60" path="/"/>
...
<sessionState mode="StateServer"
stateConnectionString="tcpip=127.0.0.1" cookieless="false" timeout="60"/>
I want to know what happens when the user is idle for 61 minutes. Will a httprequest of type 401 occur regardless if the <forms> or <sessionState> triggers a redirect?
My goal is to handle the XHR status in a jQuery $.ajax error callback and check if the user should be redirected to the loginpage or not.
A sessionState timeout doesn't automatically trigger a redirect, your application just won't find the session objects that it may be looking for. Does your code check the session and fire off a redirect? If so, the forms timeout (and subsequent redirect to Login.aspx page) will be experienced by the user prior to your session timeout handling (which wouldn't execute).
I am using forms authentication in asp.net4. But the authorization is behaving very unusually.
Following is my web.config snippet-
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" protection="All" path="/" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
When i try to open any web page i am redirected to Login page as expected. If close my browser i should be logged out, but thats not happening although i am setting persistentCookie=false as follow
FormsAuthentication.RedirectFromLoginPage(username, false);
Now after closing browser if a login again i am considered authenticated user, but if i clear cookie cache in my browser than i wont be considered authenticated user.
I am not setting cookie anywhere and i dont want persistent cookie, than why is this happening.
Please tell me if i am missing something.
Anobody know something related to this
I just found that this problem is only with Chrome 21.0, and not with Firefox 7.0 or Opera 11.4 (problem of authenticating even though session ends).
When you use authentication mode="Forms" your auth credentials stored in cookies by default. If you want to change this behaviour you can use cookieless="UseUri" attribute, than your credential will be stored in the URL. You can find more inforamtion forms Element for authentication.
timeout attribute specify how long cookies will be stored (in minutes) by default it is 30.
I have read some issues related to session time out and i have changed the settings but no avail.
This is entry of session in web.config. i want to expire the session after 5 hours.
<sessionState mode="InProc" timeout="300" />
On Login page i am adding user name in session
Session.Add("Authenticated", UserName);
and my each page is inherited with BasePage and in base class i have this check for each page.
if (Session["Authenticated"] == null)
{
Response.Redirect("../userlogin.aspx");
}
but session expires before one hour.
I want to confirm that during this there is no change in web.config, Bin folder files etc.
Take a look at this ASP.NET Session Timeouts.
Besides IIS Idle timeout there is Forms authentication timeout, which is 30 min by default. So you will be redirected to the login page before the session actually expired.
<system.web>
<authentication mode="Forms">
<forms timeout="300"/>
</authentication>
<sessionState timeout="300" />
</system.web>
If you are hosting it on IIS6 (Win2K3) then go to the settings in the Application Pool in which your application runs. You need to set it there as well.