开发者

New session cookie issued halfway through FormsAuthenticationTicket timeout

开发者 https://www.devze.com 2023-02-24 00:25 出处:网络
I am using Forms authentication in my asp.net 4.0 application (upgraded from .NET 1.1). I explicitly create the FormsAuthenticationTicket object, then encrypt it (using a开发者_如何学编程 FormsAuthent

I am using Forms authentication in my asp.net 4.0 application (upgraded from .NET 1.1). I explicitly create the FormsAuthenticationTicket object, then encrypt it (using a开发者_如何学编程 FormsAuthentication method), and send it in a cookie to the client. I use FormsAuthentiation.RenewTicketIfExpired() to set the sliding expiration of the authentication cookie.

I am able to use Fiddler to find out a new session cookie issued halfway through FormsAuthenticationTicket timeout.

if formsauthentication timeout = 2 min, session timeout = 20 min

i.e.

hh:mm:ss

10:00:00 user logs in

10:01:10 postback occurs

Then a new session will be re-created and got logged out. But i set the session to time out every 20 minutes. I tried different formsauthentication timeout values and a new session is always created halfway through the timeout.

I need to set the formsauthentication timeout to a very big value to avoid this from happening.

There's no such problem before the upgrade from .NET 1.1

Does anybody know why? is this a bug for dealing with sliding expiration in asp.net 4.0?


Writing an answer even if the question is very old, in case someone bumped into this just like I did.

This is not a bug, new ticket is issued halfway through the timeout becuase you have SlidingExpiration=yes which is the default.

When the sliding expiration is on, FormsAuthentication will re-issue a FormsAuthentication ticket valid for another x number of minutes where x is your forms authentication timeout setting, if more than half of the timeout period is elapsed.

Technically, even though this should happen with every request hitting the server (not only after half of the timeout is gone) AND SOME DOCUMENTATION SAYS THAT'S HOW IT'S DONE , it's not done so probably for performance reasons, and some browsers seem to dislike setting cookies that frequently.

See http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.slidingexpiration.aspx


Your site could be recycling. This may happen for a couple of reasons. One that recently caught me was when the site directory structure changed (e.g. adding a folder).

Since you know where it is happening just make sure that you are not causing any recycling.

0

精彩评论

暂无评论...
验证码 换一张
取 消