All geek questions in one place

Cooking authentication in asp.net

I use forms authentication in asp.net.i, set the validity of my Authenticate cookie to 60 minutes, session time to 60 minutes in web.config, timeout in web.config up to 60 minutes, and in id mode time to 60 minutes

<authentication mode="Forms"> <forms loginUrl="~/Account/Login.aspx" timeout="60" defaultUrl="~/Landing.aspx" slidingExpiration="true"/> </authentication> <system.web> <sessionState timeout="60" mode="InProc"/> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 2, // Version number txtUserName.Text.Trim(), // Username DateTime.Now, // Issue date DateTime.Now.AddMinutes(60), // Expiration date false, // Persistent? userData // User data );

since I use form authentication, if the user does not work for 60 minutes, the user should be redirected to the login page after 60 minutes. But I need to know what will happen if the user does not remain inactive for 60 minutes. will expire? even though the user is still authenticated?

EDIT

i missed one more thing i set the application pool id in IIS for network service

+4
source share
2 answers

Yes, the user will expire anyway, and he / she is not allowed to use the resources available on the server. You use a cookie to authenticate forms, which is a simple container for a FormsAuthentication ticket.

Since your ticket is not permanent, this will expire your cookie, which will redirect the user to the LOGIN PAGE page. Note that this procedure only handles "authentication" and should not be confused with the session.

You may have an expire session, but the user is still authenticated, and this may be a problem.

To answer your question directly, the User Identification will expire and it will be redirected to the login page to which a new cookie will be created in Login, which will create another "Session" object. Overtime work of the previous expires.

Tip. Make the forms timeout in "Web.config" less than the session. Do not create a session dependency for any Auth / Security related ones; the two are different containers and should be treated as such.

+2
source

You better read the links below. It will be faster for you. take a look at slideExpiration

The expiration date is updated for each request until half the expiration time.

Understanding Form Authentication Tickets and Cookies and Form Element

0
source

Source: https://habr.com/ru/post/1433538/

More articles:


All Articles