Ask a Question related to ASP.NET Security, Design and Development.
-
Anders Lybecker #1
Forms-based authentication expires before timeout
Hi,
I'm having a problem with the forms-based authentication. The user is
getting timed out before long before the timeout period has passed.
The forms-based authentication timeout is set to 10 hours and session
timeout to 2 hours.
Has anyone experienced the same problems?
I'm running framework 1.0.3705 on windows 2k server with IIS 5
Any help is appreciated.
Regards
Anders Lybecker
Anders Lybecker Guest
-
forms authentication cookie not timeout
I customized the cookie generation in forms authentication so I can keep extra data in the cookie. but the problem now is that my forms... -
Forms authentication in WebServices and timeout
Hi, I am having an issue with forms authentication and timeout. I created a simple web application and a web service based on the example in... -
Meaning Of Timeout In FOrms Authentication..????
does Timeout deletes automatically the cookie in the clients browser i relied on forms cookie to authenticate the user and had set timeout to i... -
Forms-based Authentication
HI I'm using Forms-based Authentication and trying out the example from the book: "ASP.NET Professional Secrets" after downloading the c# code... -
Forms Authentication timeout doesn't work
I am trying to do some testing of my application with respect to timeouts (i.e. Session timeouts). I took the advice of somebody else in this... -
Keith #2 Forms-based authentication expires before timeout
First of all, 10 hours for session timeout is going to
crush your servers. That's an absolutely resource
intensive approach to session timeouts. In addition, it
also represents a security concern that someone could get
up from their session and have it remain active as much
as 10 hours later. I would think 2 hours each value
would be more than adaquate, but in reality 20 minutes is
a good approach for most sites. That means your session
is renewed for 10 hours after each click.
Even so, my gut instinct is that the problem you're
having is related to how you're setting the timeout.
First of all, know that the Administrator can control
session timeout settings. Second, please forward along
the part of your web.config and aspx files where you
programatically set the limits. A common mistake is to
use the server clock to set the session timeout client-
side. Clocks are never in perfect concert.
What I really think problem is, is that your forms based
authentication ticket isn't being renewed. This is
caused by FormsAuthentication.SlidingExpiration being
false. Check to see at runtime if the value is false.
If so your expiration is not being reset each request.
Here's a related link:
[url]http://www.asp.net/Forums/ShowPost.aspx?[/url]
tabindex=1&PostID=90860
authentication. The user is>-----Original Message-----
>Hi,
>
>I'm having a problem with the forms-basedhas passed.>getting timed out before long before the timeout periodhours and session>The forms-based authentication timeout is set to 10IIS 5>timeout to 2 hours.
>
>Has anyone experienced the same problems?
>
>I'm running framework 1.0.3705 on windows 2k server with>
>Any help is appreciated.
>
>Regards
>Anders Lybecker
>
>.
>Keith Guest
-
Anders Lybecker #3 Re: Forms-based authentication expires before timeout
On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
wrote:
I don't care, the we got plenty of resources. :-)>First of all, 10 hours for session timeout is going to
>crush your servers. That's an absolutely resource
>intensive approach to session timeouts.
The client is always right, and I have nothing to say in this matter.
Everything is running within as secure VPN network, so security is not> In addition, it
>also represents a security concern that someone could get
>up from their session and have it remain active as much
>as 10 hours later. I would think 2 hours each value
>would be more than adaquate, but in reality 20 minutes is
>a good approach for most sites. That means your session
>is renewed for 10 hours after each click.
that high a concern.
Here is part of the web.config:>Even so, my gut instinct is that the problem you're
>having is related to how you're setting the timeout.
>First of all, know that the Administrator can control
>session timeout settings. Second, please forward along
>the part of your web.config and aspx files where you
>programatically set the limits. A common mistake is to
>use the server clock to set the session timeout client-
>side. Clocks are never in perfect concert.
>
>What I really think problem is, is that your forms based
>authentication ticket isn't being renewed. This is
>caused by FormsAuthentication.SlidingExpiration being
>false. Check to see at runtime if the value is false.
>If so your expiration is not being reset each request.
>
>Here's a related link:
>[url]http://www.asp.net/Forums/ShowPost.aspx?[/url]
>tabindex=1&PostID=90860
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="600"/>
</authentication>
And the single line of code that sets the authentication token from
the Login.aspx file:
FormsAuthentication.RedirectFromLoginPage(strUserN ame, False)
Am I missing something?
Thanks
Anders Lybecker
>authentication. The user is>>-----Original Message-----
>>Hi,
>>
>>I'm having a problem with the forms-based>has passed.>>getting timed out before long before the timeout period>hours and session>>The forms-based authentication timeout is set to 10>IIS 5>>timeout to 2 hours.
>>
>>Has anyone experienced the same problems?
>>
>>I'm running framework 1.0.3705 on windows 2k server with>>
>>Any help is appreciated.
>>
>>Regards
>>Anders Lybecker
>>
>>.
>>Anders Lybecker Guest
-
Hernan de Lahitte #4 Re: Forms-based authentication expires before timeout
If your are experiencing timeout problems, it might be the big gap between
the session timeout and the Forms cookie timeout renewal. The latter, will
renew it's value when more than half the specified time has elapsed (5 hs).
If you have a session timeout of 2 hours, then the session will expire long
before the cookie. So adjusting the forms timeout or the session timeout
value should solve this problem. However, I agree with Keith comments about
the suggested timeout values. Remember the "Defense in depth" security
practice and despite you may have a VPN or plenty of processing resources,
the majority of the attacks always comes from the inside.
Regards,
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]
"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com...> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
> wrote:
>>> >First of all, 10 hours for session timeout is going to
> >crush your servers. That's an absolutely resource
> >intensive approach to session timeouts.
> I don't care, the we got plenty of resources. :-)
> The client is always right, and I have nothing to say in this matter.
>>> > In addition, it
> >also represents a security concern that someone could get
> >up from their session and have it remain active as much
> >as 10 hours later. I would think 2 hours each value
> >would be more than adaquate, but in reality 20 minutes is
> >a good approach for most sites. That means your session
> >is renewed for 10 hours after each click.
> Everything is running within as secure VPN network, so security is not
> that high a concern.
>>> >Even so, my gut instinct is that the problem you're
> >having is related to how you're setting the timeout.
> >First of all, know that the Administrator can control
> >session timeout settings. Second, please forward along
> >the part of your web.config and aspx files where you
> >programatically set the limits. A common mistake is to
> >use the server clock to set the session timeout client-
> >side. Clocks are never in perfect concert.
> >
> >What I really think problem is, is that your forms based
> >authentication ticket isn't being renewed. This is
> >caused by FormsAuthentication.SlidingExpiration being
> >false. Check to see at runtime if the value is false.
> >If so your expiration is not being reset each request.
> >
> >Here's a related link:
> >[url]http://www.asp.net/Forums/ShowPost.aspx?[/url]
> >tabindex=1&PostID=90860
> Here is part of the web.config:
>
> <authentication mode="Forms">
> <forms loginUrl="Login.aspx" timeout="600"/>
> </authentication>
>
> And the single line of code that sets the authentication token from
> the Login.aspx file:
>
> FormsAuthentication.RedirectFromLoginPage(strUserN ame, False)
>
> Am I missing something?
>
> Thanks
> Anders Lybecker
>
>>> >authentication. The user is> >>-----Original Message-----
> >>Hi,
> >>
> >>I'm having a problem with the forms-based> >has passed.> >>getting timed out before long before the timeout period> >hours and session> >>The forms-based authentication timeout is set to 10> >IIS 5> >>timeout to 2 hours.
> >>
> >>Has anyone experienced the same problems?
> >>
> >>I'm running framework 1.0.3705 on windows 2k server with> >>
> >>Any help is appreciated.
> >>
> >>Regards
> >>Anders Lybecker
> >>
> >>.
> >>
Hernan de Lahitte Guest
-
Anders Lybecker #5 Re: Forms-based authentication expires before timeout
On Mon, 2 Feb 2004 12:18:30 -0300, "Hernan de Lahitte"
<hernan@lagash.com> wrote:
Why should the gap cause this problem?>If your are experiencing timeout problems, it might be the big gap between
>the session timeout and the Forms cookie timeout renewal.
In a series of page requests after the user has logged in one of the>The latter, will
>renew it's value when more than half the specified time has elapsed (5 hs).
>If you have a session timeout of 2 hours, then the session will expire long
>before the cookie. So adjusting the forms timeout or the session timeout
>value should solve this problem. However, I agree with Keith comments about
>the suggested timeout values. Remember the "Defense in depth" security
>practice and despite you may have a VPN or plenty of processing resources,
>the majority of the attacks always comes from the inside.
suddenly fails and the login page is displayed. The timeframe is less
than 10 minutes - a lot less than the timeout.
Any suggestions?
Regards
Anders Lybecker
>Regards,
>
>Hernan de Lahitte
>Lagash Systems S.A.
>[url]http://www.lagash.com[/url]
>
>
>
>"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
>news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com.. .>>> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
>> wrote:
>>>>>> >First of all, 10 hours for session timeout is going to
>> >crush your servers. That's an absolutely resource
>> >intensive approach to session timeouts.
>> I don't care, the we got plenty of resources. :-)
>> The client is always right, and I have nothing to say in this matter.
>>>>>> > In addition, it
>> >also represents a security concern that someone could get
>> >up from their session and have it remain active as much
>> >as 10 hours later. I would think 2 hours each value
>> >would be more than adaquate, but in reality 20 minutes is
>> >a good approach for most sites. That means your session
>> >is renewed for 10 hours after each click.
>> Everything is running within as secure VPN network, so security is not
>> that high a concern.
>>>>>> >Even so, my gut instinct is that the problem you're
>> >having is related to how you're setting the timeout.
>> >First of all, know that the Administrator can control
>> >session timeout settings. Second, please forward along
>> >the part of your web.config and aspx files where you
>> >programatically set the limits. A common mistake is to
>> >use the server clock to set the session timeout client-
>> >side. Clocks are never in perfect concert.
>> >
>> >What I really think problem is, is that your forms based
>> >authentication ticket isn't being renewed. This is
>> >caused by FormsAuthentication.SlidingExpiration being
>> >false. Check to see at runtime if the value is false.
>> >If so your expiration is not being reset each request.
>> >
>> >Here's a related link:
>> >[url]http://www.asp.net/Forums/ShowPost.aspx?[/url]
>> >tabindex=1&PostID=90860
>> Here is part of the web.config:
>>
>> <authentication mode="Forms">
>> <forms loginUrl="Login.aspx" timeout="600"/>
>> </authentication>
>>
>> And the single line of code that sets the authentication token from
>> the Login.aspx file:
>>
>> FormsAuthentication.RedirectFromLoginPage(strUserN ame, False)
>>
>> Am I missing something?
>>
>> Thanks
>> Anders Lybecker
>>
>>>>>> >>-----Original Message-----
>> >>Hi,
>> >>
>> >>I'm having a problem with the forms-based
>> >authentication. The user is
>> >>getting timed out before long before the timeout period
>> >has passed.
>> >>The forms-based authentication timeout is set to 10
>> >hours and session
>> >>timeout to 2 hours.
>> >>
>> >>Has anyone experienced the same problems?
>> >>
>> >>I'm running framework 1.0.3705 on windows 2k server with
>> >IIS 5
>> >>
>> >>Any help is appreciated.
>> >>
>> >>Regards
>> >>Anders Lybecker
>> >>
>> >>.
>> >>Anders Lybecker Guest
-
Hernan de Lahitte #6 Re: Forms-based authentication expires before timeout
Check the page sequence that makes the login page to load.
Are all the pages in this seq. in the same application/forms auth scope ?
Your authz config is something like this?
<authorization>
<deny users = "?" />
<allow users= "*" />
</authorization>
--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]
"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
news:7ic12011kkin7m7cvnntpofffb9fuf7en7@4ax.com...between> On Mon, 2 Feb 2004 12:18:30 -0300, "Hernan de Lahitte"
> <hernan@lagash.com> wrote:
>> >If your are experiencing timeout problems, it might be the big gaphs).>> >the session timeout and the Forms cookie timeout renewal.
> Why should the gap cause this problem?
>> >The latter, will
> >renew it's value when more than half the specified time has elapsed (5long> >If you have a session timeout of 2 hours, then the session will expireabout> >before the cookie. So adjusting the forms timeout or the session timeout
> >value should solve this problem. However, I agree with Keith commentsresources,> >the suggested timeout values. Remember the "Defense in depth" security
> >practice and despite you may have a VPN or plenty of processing>> >the majority of the attacks always comes from the inside.
> In a series of page requests after the user has logged in one of the
> suddenly fails and the login page is displayed. The timeframe is less
> than 10 minutes - a lot less than the timeout.
>
> Any suggestions?
>
> Regards
> Anders Lybecker
>
>>> >Regards,
> >
> >Hernan de Lahitte
> >Lagash Systems S.A.
> >[url]http://www.lagash.com[/url]
> >
> >
> >
> >"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
> >news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com.. .> >> >> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
> >> wrote:
> >>
> >> >First of all, 10 hours for session timeout is going to
> >> >crush your servers. That's an absolutely resource
> >> >intensive approach to session timeouts.
> >>
> >> I don't care, the we got plenty of resources. :-)
> >> The client is always right, and I have nothing to say in this matter.
> >>
> >> > In addition, it
> >> >also represents a security concern that someone could get
> >> >up from their session and have it remain active as much
> >> >as 10 hours later. I would think 2 hours each value
> >> >would be more than adaquate, but in reality 20 minutes is
> >> >a good approach for most sites. That means your session
> >> >is renewed for 10 hours after each click.
> >>
> >> Everything is running within as secure VPN network, so security is not
> >> that high a concern.
> >>
> >> >Even so, my gut instinct is that the problem you're
> >> >having is related to how you're setting the timeout.
> >> >First of all, know that the Administrator can control
> >> >session timeout settings. Second, please forward along
> >> >the part of your web.config and aspx files where you
> >> >programatically set the limits. A common mistake is to
> >> >use the server clock to set the session timeout client-
> >> >side. Clocks are never in perfect concert.
> >> >
> >> >What I really think problem is, is that your forms based
> >> >authentication ticket isn't being renewed. This is
> >> >caused by FormsAuthentication.SlidingExpiration being
> >> >false. Check to see at runtime if the value is false.
> >> >If so your expiration is not being reset each request.
> >> >
> >> >Here's a related link:
> >> >[url]http://www.asp.net/Forums/ShowPost.aspx?[/url]
> >> >tabindex=1&PostID=90860
> >>
> >> Here is part of the web.config:
> >>
> >> <authentication mode="Forms">
> >> <forms loginUrl="Login.aspx" timeout="600"/>
> >> </authentication>
> >>
> >> And the single line of code that sets the authentication token from
> >> the Login.aspx file:
> >>
> >> FormsAuthentication.RedirectFromLoginPage(strUserN ame, False)
> >>
> >> Am I missing something?
> >>
> >> Thanks
> >> Anders Lybecker
> >>
> >>
> >> >>-----Original Message-----
> >> >>Hi,
> >> >>
> >> >>I'm having a problem with the forms-based
> >> >authentication. The user is
> >> >>getting timed out before long before the timeout period
> >> >has passed.
> >> >>The forms-based authentication timeout is set to 10
> >> >hours and session
> >> >>timeout to 2 hours.
> >> >>
> >> >>Has anyone experienced the same problems?
> >> >>
> >> >>I'm running framework 1.0.3705 on windows 2k server with
> >> >IIS 5
> >> >>
> >> >>Any help is appreciated.
> >> >>
> >> >>Regards
> >> >>Anders Lybecker
> >> >>
> >> >>.
> >> >>
> >>
Hernan de Lahitte Guest
-
Anders Lybecker #7 Re: Forms-based authentication expires before timeout
On Wed, 4 Feb 2004 09:48:37 -0300, "Hernan de Lahitte"
<hernan@lagash.com> wrote:
The web.config:>Check the page sequence that makes the login page to load.
>Are all the pages in this seq. in the same application/forms auth scope ?
>Your authz config is something like this?
>
><authorization>
> <deny users = "?" />
> <allow users= "*" />
></authorization>
<authorization>
<deny users="?"/>
</authorization>
The <alloe users="*" /> is implicit.
Regards
Anders Lybecker
Anders Lybecker Guest
-
Pete #8 Re: Forms-based authentication expires before timeout
I've had the same problem too. It seems to work correctly at times but then
reverts to seemingly random timeouts.
Never did find out why it doesn't work as planned. BTW I'm using Win2003 +
..NET 1.1. However on my XP 1.1 dev box it works fine 100% of the time.
--
Cheers
Pete
XBOX Live Leagues & Tournaments
[url]http://www.xboxracing.net/[/url]
"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
news:g96i10h5jugepvrr16oo82fa4mblcqjc5h@4ax.com...> Hi,
>
> I'm having a problem with the forms-based authentication. The user is
> getting timed out before long before the timeout period has passed.
> The forms-based authentication timeout is set to 10 hours and session
> timeout to 2 hours.
>
> Has anyone experienced the same problems?
>
> I'm running framework 1.0.3705 on windows 2k server with IIS 5
>
> Any help is appreciated.
>
> Regards
> Anders Lybecker
>
Pete Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
