Manually renew forms authentication ticket:

Yet another problem with forms authentication ticket expiring too soon.
I need to use sliding Expiration set to true. I have read forums and understood the problem with the loss of precision, that the ticket only gets updated if the request is made after half of the expiration time only.

The problem:
In my webconfig I have as follows:

    <authentication mode="Forms">
        <forms timeout="20" name="SqlAuthCookie" protection="All" slidingExpiration="true" />
    </authentication>
    <sessionState timeout="20" />
    <authorization>

The user must only be logged out and redirected to login.aspx, only when there was no request made in the 20 Minute interval. The problem is that users are making requests, and still get thrown to the login page. This should not happen. What I thought of doing, was to reset the SqlAuthCookie manually for each request.

Below is my code. It is called on context.AcquireRequestState.

    void context_AcquireRequestState(object sender, EventArgs e)
    {
        HttpContext ctx = HttpContext.Current;
        ResetAuthCookie(ctx);
     }

            private void ResetAuthCookie(HttpContext ctx)
    {
        HttpCookie authCookie = ctx.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie == null)
            return;

        FormsAuthenticationTicket ticketOld = FormsAuthentication.Decrypt(authCookie.Value);
        if (ticketOld == null)
            return;

        if (ticketOld.Expired)
            return;

        FormsAuthenticationTicket ticketNew = null;
        if (FormsAuthentication.SlidingExpiration)
           ticketNew = FormsAuthentication.RenewTicketIfOld(ticketOld);

        if (ticketNew != ticketOld)
            StoreNewCookie(ticketNew, authCookie, ctx);
    }

    private void StoreNewCookie(FormsAuthenticationTicket ticketNew, HttpCookie authCookie, HttpContext ctx)
    {
        string hash = FormsAuthentication.Encrypt(ticketNew);
        if (ticketNew.IsPersistent)
            authCookie.Expires = ticketNew.Expiration;

        authCookie.Value = hash;
        authCookie.HttpOnly = true;

        ctx.Response.Cookies.Add(authCookie);
    }

My questions are:

Is it wrong or an acceptable solution, resetting the cookie on each request?
Why does it still not work? It seems that new Ticket never gets renewed.
Are there other causes possible, for the fact that the users have their forms authentication expired too soon, that I should investigate?

Thank you,
Regards,

Best Answer

A forms authentication cookie only renews itself after half it's expiration time has passed.

From Microsoft:

If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. For example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.

To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed.

This may be your issue. If your clients access your site at the 9 minute mark and don't access it again for 10 minutes they'll be timed out. This occurs even though you have your session timeout set to 20 minutes.

Manually renewing your ticket like you're doing isn't necessary. You just need sliding expiration enabled. If the 'half the specific time' rule doesn't work for you then you'll have to look at other solutions.

Best Answer

Related Solutions

R – Storing custom user information in an authentication ticket instead of in Membership provider

R – Detecting forms authentication timeout in login page

Related Topic