Re: Session Times Out but still logged in with login control? by Bishop
Bishop
Wed Nov 28 12:36:14 PST 2007
That's some really good information, I will read further about all this.
Thank you very much!
"Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in
message news:e96%234lfMIHA.3516@TK2MSFTNGP02.phx.gbl...
> To be honest with you, I've never really looked into "cookie-less"
> authentication. I think the asp.net membership might auto-detect if
> cookies are disabled and automatically switch to url-rewriting. I'm not
> certain on that, though.
>
> I believe (and you might want to double-check me on this) that most
> browsers support two types of cookies these days. A "session" cookie (not
> sure if that's the correct term) is generally permitted under default
> security settings. These cookies "expire" when the browser is closed (if
> not sooner) and are generally considered harmless. The "persistent"
> cookies (those that persist even after the browser is closed) are the
> potentially dangerous ones and those are the ones browsers tend to block.
>
> So the "authentication" cookie is a "session" cookie ("session" on the
> client, not the server) while the "Remember Me" cookie is "persistent".
> The default expiration on the authentication cookie is 20 minutes, which
> just happens to coincide with the the default timeout on server sessions.
> This is coincidence, they are not related. You can increase the timeout on
> the authentication cookie to whatever you want, or set it to "never
> expire" in which case it will go away when the browser is closed.
>
>
>
> "Bishop" <nospam@nospam.com> wrote in message
> news:OeaeP2dMIHA.3852@TK2MSFTNGP06.phx.gbl...
>> Ah, thank you.
>>
>> I tested cookies a while back but never implimented them because I was
>> loosing the cookie at the same time the session would expire. I know
>> that dosn't make much sense, maybe it is some configuration with my
>> browser. If didn't persue it because of that and I was afraid that many
>> people would have they're cookies disabled.
>>
>> Have you seen simular results with cookies and any idea what percentage
>> of browsers have cookies disabled any more? In this particular site, I
>> could indicate to users that they need to have cookies enabled to use.
>>
>> Hmmmm... Now that I think about it, the login controls have the
>> "Remember Me Next Time" option that never seems to work for me but others
>> have indicated that it works fine for them. Do I just have something set
>> to expire cookies really fast? I'll investigate on my end but would
>> happly take any further advice.
>>
>> Thanks!
>>
>> "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in
>> message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl...
>>>
>>> "Bishop" <nospam@nospam.com> wrote in message
>>> news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl...
>>>> A new application I built uses the ASP.NET 2005 Login Controls. What I
>>>> noticed is that when I loose my session, I'm still logged in. I don't
>>>> know much about the login controls but assumed they were session based
>>>> and would vanish with my session.
>>>>
>>>> So my question is, can anyone explain why I'm not loosing my login and
>>>> how it is being managed that it stays after my session is gone. Maybe
>>>> I should use another method such as SQL to manage my session
>>>> information?
>>>
>>>
>>> asp.net membership is cookie-based, not session-based.
>>>
>>> Sessions can be lost for a variety of reasons. You obviously want to
>>> minimize their use and try not to depend on things being there for long
>>> periods of time. If you absolutely need to store user info on the server
>>> for long periods of time, I think a DB is going to be the best way to
>>> go.
>>
>>
>