开发者

Authentication/Session cookie deleting after browser close

What are the exact steps required for a cookie to persist after a browser is closed? At the moment I have:

  1. createPersistentCookie set to true on LoggedIn event.
  2. MachineKey specified.
  3. Forms sliding expiration set to true.

As long as the browser is open, the user will stay logged in, but as soon as it's closed, and it doesn't matter for how long, the user will need to log in again. What am I missing?

EDIT: I went through the article pointed out by marapet (see comments below) and it made me interested in whether the ticket does indeed have IsPersis开发者_StackOverflow中文版tent flag, which it does. The decrypted ticket looks like this: System.Web.Security.FormsAuthentication.Decrypt(Request.Cookies[System.Web.Security.FormsAuthentication.FormsCookieName].Value) {System.Web.Security.FormsAuthenticationTicket} CookiePath: "/" Expiration: {19/08/2010 17:27:14} Expired: false IsPersistent: true IssueDate: {19/07/2010 17:27:14} Name: "alex" UserData: "" Version: 2 All the details are correct, and correspond to those I set in LoggedIn event. More over the cookie value I can retrieve from the cookie directly, is identical to this one. Yet as soon as I close the browser, the cookie is lost.

What I have noticed, however, is that the cookie carrying the ticket has it's date reset for some reason. Firstly I can't override settings in web.config, so at the end of LoggedIn event it's Expires property is 4000 minutes after issue date, not a month which I am setting programmatically. Then after page load the cookie I retrieve with FormsAuthentication.FormsCookieName has Expires property of 01/01/0001. I think perhaps this is where the problem lies? Any thoughts would be appreciated.

EDIT#2: I am changing both title and tags to include session, as it turned out to be relevant for the problem/solution


So I found the solution, eventually. As it turns out, it wasn't the problem with the authentication cookie as such (it was retained correctly, or rather would have been if the handler didn't remove it, having incorrectly decided that a user wasn't logged in based on the missing session). The problem was that the Session cookie was lost, or wasn't identified properly. So the fix was to manually add a session cookie during log on like so:

HttpCookie authCookie = new HttpCookie("ASP.NET_SessionId", Session.SessionID);
authCookie.Domain = ".mydomain.com";
authCookie.Expires = DateTime.Now.AddMonths(1);
Response.Cookies.Add(authCookie);

Now when the browsers opens again the session is identified properly and user session restored.


A persistent forms authentication cookie should not be discarded when the browser closes. It stays valid for the timeout value defined in the web.config.

However, some browsers can be configured to discard all cookies at the end of a session - you may want to check the settings of your browser (FireFox: Tools - options - privacy).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜