Forms Authentication non-persistent cookie not expiring after closing

I have a typical ASP.NET 2.0 Forms authentication application which
authenticates against Active Directory. I use non-persistent cookie so
that the user is NOT remembered across browser sessions. The timeout
is set to 10 minutes. Here is the important code snippets that I took
from my original code:

string roleToCheck = .....;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
roleToCheck, FormsAuthentication.FormsCookiePath);
string encryptedTicket =
FormsAuthentication.Encrypt(ticket);
HttpCookie authSessionCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authSessionCookie.HttpOnly = true;
authSessionCookie.Expires = ticket.Expiration;
Response.Cookies.Add(authSessionCookie);
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);

Note that I'm setting the 2nd parameter to false which means that it
creates non-persistent cookie. Now I opened the IE browser and logged
in by entering the user credentials. I closed the window and there was
no other instance of IE running. I opened another IE and entered the
URL and it straight away went to default page instead of Login page.

1. Why is the cookie not expiring even after I close the browser?
2. If that's how the ASP.NET works, is there any work around so that
whenever the user closes IE and opens another IE, he should be forced
to login once again?

Thanks,
Hari.

Re: Forms Authentication non-persistent cookie not expiring after closing the browser

Hari,

If you authenticate against the Active Directory, why not host your solution
under intergrated security?

That would solve a lot of your problems.

Kind regards,

Matthijs Krempel

schreef in bericht
news:3de4437f-d2be-4fa2-a02b-e489ea89002d@59g2000hsb.googleg roups.com...
> I have a typical ASP.NET 2.0 Forms authentication application which
> authenticates against Active Directory. I use non-persistent cookie so
> that the user is NOT remembered across browser sessions. The timeout
> is set to 10 minutes. Here is the important code snippets that I took
> from my original code:
>
> string roleToCheck = .....;
> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
> member.UserName, DateTime.Now, DateTime.Now.AddMinutes(10), false,
> roleToCheck, FormsAuthentication.FormsCookiePath);
> string encryptedTicket =
> FormsAuthentication.Encrypt(ticket);
> HttpCookie authSessionCookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
> authSessionCookie.HttpOnly = true;
> authSessionCookie.Expires = ticket.Expiration;
> Response.Cookies.Add(authSessionCookie);
> FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
>
> Note that I'm setting the 2nd parameter to false which means that it
> creates non-persistent cookie. Now I opened the IE browser and logged
> in by entering the user credentials. I closed the window and there was
> no other instance of IE running. I opened another IE and entered the
> URL and it straight away went to default page instead of Login page.
>
> 1. Why is the cookie not expiring even after I close the browser?
> 2. If that's how the ASP.NET works, is there any work around so that
> whenever the user closes IE and opens another IE, he should be forced
> to login once again?
>
> Thanks,
> Hari.
>

Re: Forms Authentication non-persistent cookie not expiring after

Hi Matthijs - The reason that we are not using Integrated Security and
using Forms is because we have some external (limited) users who
access the application out of our network.

-Hari.

On Apr 9, 1:25=A0am, "Matthijs Krempel"
wrote:
> Hari,
>
> If you authenticate against the Active Directory, why not host your soluti=
on
> under intergrated security?
>
> That would solve a lot of your problems.
>
> Kind regards,
>
> Matthijs Krempel
>

Re: Forms Authentication non-persistent cookie not expiring after closing the browser

Hi Hari,

You can write a custom membershipprovider, that uses both your custom
authentication scenario and uses the activedirectorymembershipprovider.

Forms authentication will do the rest for you, no mucking about with writing
custom authentication logic.

With kind regards,

Matthijs Krempel

schreef in bericht
news:ebd42b09-a927-4faa-8713-37937c6328ec@b64g2000hsa.google groups.com...
> Hi Matthijs - The reason that we are not using Integrated Security and
> using Forms is because we have some external (limited) users who
> access the application out of our network.
>
> -Hari.
>
> On Apr 9, 1:25 am, "Matthijs Krempel"
> wrote:
>> Hari,
>>
>> If you authenticate against the Active Directory, why not host your
>> solution
>> under intergrated security?
>>
>> That would solve a lot of your problems.
>>
>> Kind regards,
>>
>> Matthijs Krempel
>>
>
>