Problem description
If you didn't use forms authentication before, if you set the HttpOnly cookie expiration time to half an hour during the login process, you will always get a lot of complaints from users, saying that a login is overdue.
So the cookie expiration time is always set a bit longer, such as two hours or even a day, so that you can guarantee to set a cookie at the time of landing, the user can operate for a long period of time.
Although it is also possible to check the expiry time of a cookie every time a user requests a page and automatically expand it, it's too much of a hassle to make it easier to set a big point at a time.
Accidental discovery
When you write the appbox-extaspnet-based Enterprise general management framework using Forms authentication today, it is assumed that this is set up in Web. config:
< authentication mode = "Forms" > < forms name = ".ASPXFORMSAUTH" loginUrl = "~/default.aspx" timeout = "360" defaultUrl = "~/main.aspx" protection = "All" path = "/" /> </ authentication > |
I set the expiry time to 6 hours to expect to hear no complaints from users within 6 hours of landing.
Because you want to save the role that the user belongs to in the user.identity, you are not aware of the paragraph in this article when looking at the custom authentication:
If it is not persistent cookie, The validity period of a cookie expiration property has the current time plus the timeout in Web. config, and each time the page is requested, during the authentication process, it will determine if half of the validity period has expired, and if so, update the validity period of the cookie.
That's great! If this is the case, the so-called timeout attribute is not important at all, and the system will re-determine the expiration time each time the page is requested, and automatically expand if it expires soon.
Personally verify
Real learning and understanding need to be done in person, the following steps will lead us to verify the above statement (the following is used in Firefox + FireBug + firecookie).
1. Configure the Web. config
< authentication mode = "Forms" > < forms name = ".ASPXFORMSAUTH" loginUrl = "~/default.aspx" timeout = "2" defaultUrl = "~/main.aspx" protection = "All" path = "/" /> </ authentication > |
We set the expiration time to 2 minutes to make it easier to observe the expiry time of the cookie.
2. Login Code
In the successful login code, the following statement code is done to write the cookie and jump the page:
FormsAuthentication.RedirectFromLoginPage(userName, true ); |
3. Observe the cookie information after logging in
Since we landed on 2012-6-22 9:04:12, the expiry date is 2012-6-22 9:06:12
4. Refresh the page within 1 minutes of logging in
Refresh the page within a minute, and the cookie's expiration time does not change, and the same.
5. Refresh the page after 1 minutes of login
The page refreshed at 9:05:13, that is, the last 1 minutes, the system will automatically extend the cookie expiration time, on this basis to add another 2 minutes, so the current expiration time is 9:07:13
6. Refresh the page after 2 minutes of login
Two minutes after the refresh, the cookie expires, the page will automatically jump to the landing page.
Summarize
The forms authentication of ASP. NET provides us with a consistent and secure means of verification, and the mechanism for automatically extending cookie expiration time is icing on the cake, giving us more time to focus on the implementation of business logic.