The expiration time of persistent cookies is automatically extended when you use the Forms authentication of ASP.

Source: Internet
Author: User

Problem description

If you have not used forms authentication before, if you set the persistent cookie expiration time to half an hour during the login process, you will always get a lot of complaints from users, saying that a login is overdue.

So the cookie expiration time is always set a bit longer, such as two hours or even a day, so that you can guarantee to set a cookie at the time of landing, the user can operate for a long period of time.

Although it is also possible to check the expiry time of a cookie every time a user requests a page and automatically expand it, it's too much of a hassle to make it easier to set a big point at a time.

Accidental discovery

When you write the appbox-extaspnet-based Enterprise general management framework using Forms authentication today, it is assumed that this is set up in Web. config:

<authentication mode="Forms">      <forms name=".ASPXFORMSAUTH" loginUrl="~/default.aspx" timeout="360" defaultUrl="~/main.aspx" protection="All" path="/"/></authentication>

I set the expiry time to 6 hours to expect to hear no complaints from users within 6 hours of landing.
Because you want to save the role that the user belongs to in the user.identity, you are not aware of the paragraph in this article when looking at the custom authentication:

If it is not persistent cookie, The validity period of a cookie expiration property has the current time plus the timeout in Web. config, and each time the page is requested, during the authentication process, it will determine if half of the validity period has expired, and if so, update the validity period of the cookie.

That's great! If this is the case, the so-called timeout attribute is not important at all, and the system will re-determine the expiration time each time the page is requested, and automatically expand if it expires soon.

Note: There is a problem with the above quote, for persistent cookies have expiration time, non-persistent cookies are generally referred to as session cookies, and cannot cross the browser process, so close the browser disappears.

Personally verify

Real learning and understanding need to be done in person, the following steps will lead us to verify the above statement (the following is used in Firefox + FireBug + firecookie).

1. Configure the Web. config

<authentication mode="Forms">      <forms name=".ASPXFORMSAUTH" loginUrl="~/default.aspx" timeout="2" defaultUrl="~/main.aspx" protection="All" path="/"/></authentication>

We set the expiration time to 2 minutes to make it easier to observe the expiry time of the cookie.

2. Login Code

In the successful login code, the following statement code completes the cookie write and the page jump (the second parameter indicates that this is a persistent cookie):

FormsAuthentication.RedirectFromLoginPage(userName, true);

3. Observe the cookie information after logging in

Since we landed on 2012-6-22 9:04:12, the expiry date is 2012-6-22 9:06:12

4. Refresh the page within 1 minutes of logging in

Refresh the page within a minute, and the cookie's expiration time does not change, and the same.

5. Refresh the page after 1 minutes of login

The page refreshed at 9:05:13, that is, the last 1 minutes, the system will automatically extend the cookie expiration time, on this basis to add another 2 minutes, so the current expiration time is 9:07:13

6. Refresh the page after 2 minutes of login

Two minutes after the refresh, the cookie expires, the page will automatically jump to the landing page.

Summarize

The forms authentication of ASP. NET provides us with a consistent and secure means of verification, and the mechanism of automatic extended cookie expiration is icing on the cake, giving us more time to focus on the implementation of business logic

The expiration time of persistent cookies is automatically extended when you use the Forms authentication of ASP.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.