Compartir a través de

FormsAuthenticationTicket and Persistence

  • Artículo

I have been playing around with putting forms based authentication on a site I am building.  I would like to store a piece of information in the authentication ticket and persist that cookie on the client between sessions.  So naturally, I searched around the net and kept coming across some code that looks something like this:

if (FormsAuthentication.Authenticate(UsernameTextBox.Text, PasswordTextBox.Value))
{
     FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
          1,
          UsernameTextBox.Text,
          DateTime.Now,
          DateTime.Now.AddHours(3),
          true,
          myValue);
 
     string encryptedTicket = FormsAuthentication.Encrypt(ticket);
 
     HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);
 
     Response.Cookies.Add(authenticationCookie); 
 
     Response.Redirect(FormsAuthentication.GetRedirectUrl(UsernameTextBox.Text, true));
}

The only problem is that the authentication ticket doesn’t stick around between sessions even though I pass true to the isPersistent parameter of the FormsAuthenticationTicket constructor.  Each time I start a new browser up, I find that I am no longer authenticated.  So what’s the problem? 

If you don’t specify the cookie’s expiration date, it expires when you close the browser, right?  The solution is to add the following line before adding the cookie to the Response.Cookies collection:

     authenticationCookie.Expires = ticket.Expiration;

Comments

  • Anonymous
    July 24, 2003
    i've been ignoring just this issue for a couple of weeks now with a user management system i'm working on. thanks tosh! you probably just saved me a couple of hours:)
  • Anonymous
    August 21, 2003
    i want to expirea ticket before its persistentene period ends

    say if it persists for 3 hrs
    i want it to expire after 1 hr?
  • Anonymous
    October 27, 2003
    Thanks for this! Works great, saved me time and more frustration. It seems so obvious once it's explained... yet somehow it was too difficult to "figure out".
  • Anonymous
    February 08, 2004
    Ey thanks! So lucky that you'r on the first page of google when I tried searching "formsauthentication ticket" persistence were really my problem :D ; thanks a lot for your article
  • Anonymous
    February 12, 2004
    Well, the problem now is that you will always have a persistent cookie even if you don't want to have a persistent cookie. ???

    Response.Redirect(FormsAuthentication.GetRedirectUrl(UsernameTextBox.Text, FALSE));
  • Anonymous
    February 24, 2004
    My problem is that no matter what I seem to do I ALWAYS have a persistent cookie even though I specified that I didn't want a persistent cookie.

    The problem with persistent cookies is that when someone changes the web.config file (and the application restarts) .NET doesn't clean up the persistent cookie and you will find that HttpContext.Current.User will still be the user logged in prior to application start. I haven't completed my research yet but right now I'm assuming this has something to do with persistent cookies.

    That said with the amount of luck I've had resolving this problem I wouldn't be surprised if this assumption was wrong.
  • Anonymous
    March 02, 2004
    The comment has been removed
  • Anonymous
    April 26, 2004
    Dear Sir,
    I have a question on the cookie we store on the client's machine.
    thenext time the user comes in, how am i checking to see if there is a cookie on the client machine or not ? Am i just using Application_AuthenticateRequest method in the global.asax to check if a cookie exists ?
  • Anonymous
    June 01, 2004
    if (ticket.IsPersistent)
    {
    cookie.Expires = ticket.Expiration;
    }
  • Anonymous
    August 01, 2004
    The comment has been removed
  • Anonymous
    January 21, 2009
    PingBack from http://www.keyongtech.com/532809-login-problem