I'm using forms authentication with my .net 2.0 site.
I'm setting some cookies after the user logs in, and as long
as they stay logged in I can "see" the cookies on subsequent posts.

The problem is that as soon as the user logs out, the cookies are gone.
I know ASP will expire the Ticket cookie, but does it expire
all other cookies too?

Anyone else ever experience this?  Is it by design?

Thanks!
S

How are you setting your cookies?  If you aren't providing a good expiration 
date, the cookies will become "session" cookies, which only last as long as 
the session does.


"Steve"  wrote in message 
news:E9214842-68D0-45D5-AEF9-5A09D0C8522A@microsoft.com...

> I'm using forms authentication with my .net 2.0 site.
> I'm setting some cookies after the user logs in, and as long
> as they stay logged in I can "see" the cookies on subsequent posts.
>
> The problem is that as soon as the user logs out, the cookies are gone.
> I know ASP will expire the Ticket cookie, but does it expire
> all other cookies too?
>
> Anyone else ever experience this?  Is it by design?
>
> Thanks!
> S
> 

Here's the code... as you can see I am setting the expiration date.
In the page load I'm looking for the cookie so my team doesn't have to enter
their User ID every time.
I'm posting all the code just in case you see anything else I've left out.

In the Page_Load event, the cookie is always null after they've logged out.

Thanks for your quick reply! Let me know if you see anything else I may have 
missed.
S



protected void Page_Load(object sender, EventArgs e) {
        if (!IsPostBack) {
            if (Request.Cookies["EmpID"] != null) {
                Login1.UserName = Response.Cookies["EmpID"].Value;
            }
        }
}

protected void Login1_LoggedIn(object sender, EventArgs e) {
        if (Login1.RememberMeSet) {
            HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
            cook.Expires = DateTime.Now.AddYears(1);
            Response.Cookies.Add(cook);
        }
}

"Scott M." wrote:


> How are you setting your cookies?  If you aren't providing a good expiration 
> date, the cookies will become "session" cookies, which only last as long as 
> the session does.
> 
> 
> "Steve"  wrote in message 
> news:E9214842-68D0-45D5-AEF9-5A09D0C8522A@microsoft.com...
> > I'm using forms authentication with my .net 2.0 site.
> > I'm setting some cookies after the user logs in, and as long
> > as they stay logged in I can "see" the cookies on subsequent posts.
> >
> > The problem is that as soon as the user logs out, the cookies are gone.
> > I know ASP will expire the Ticket cookie, but does it expire
> > all other cookies too?
> >
> > Anyone else ever experience this?  Is it by design?
> >
> > Thanks!
> > S
> > 
> 
> 
> 

HA! Do I feel like an idiot:
   if (Request.Cookies["EmpID"] != null) {
      Login1.UserName = Response.Cookies["EmpID"].Value;
   }
I was checking the Request object if it was null, but referencing the 
Response object to get the value.  DUH!!!

Sorry for the bother and thanks for your help!!!
S


"Steve" wrote:


> Here's the code... as you can see I am setting the expiration date.
> In the page load I'm looking for the cookie so my team doesn't have to enter
> their User ID every time.
> I'm posting all the code just in case you see anything else I've left out.
> 
> In the Page_Load event, the cookie is always null after they've logged out.
> 
> Thanks for your quick reply! Let me know if you see anything else I may have 
> missed.
> S
> 
> 
> 
> protected void Page_Load(object sender, EventArgs e) {
>         if (!IsPostBack) {
>             if (Request.Cookies["EmpID"] != null) {
>                 Login1.UserName = Response.Cookies["EmpID"].Value;
>             }
>         }
> }
> 
> protected void Login1_LoggedIn(object sender, EventArgs e) {
>         if (Login1.RememberMeSet) {
>             HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
>             cook.Expires = DateTime.Now.AddYears(1);
>             Response.Cookies.Add(cook);
>         }
> }
> 
> "Scott M." wrote:
> 
> > How are you setting your cookies?  If you aren't providing a good expiration 
> > date, the cookies will become "session" cookies, which only last as long as 
> > the session does.
> > 
> > 
> > "Steve"  wrote in message 
> > news:E9214842-68D0-45D5-AEF9-5A09D0C8522A@microsoft.com...
> > > I'm using forms authentication with my .net 2.0 site.
> > > I'm setting some cookies after the user logs in, and as long
> > > as they stay logged in I can "see" the cookies on subsequent posts.
> > >
> > > The problem is that as soon as the user logs out, the cookies are gone.
> > > I know ASP will expire the Ticket cookie, but does it expire
> > > all other cookies too?
> > >
> > > Anyone else ever experience this?  Is it by design?
> > >
> > > Thanks!
> > > S
> > > 
> > 
> > 
> > 

What happens if someone manually changes the empid cookie on the client?

Will that bring your app in trouble (maybe even security trouble) ?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)


> HA! Do I feel like an idiot:
> if (Request.Cookies["EmpID"] != null) {
> Login1.UserName = Response.Cookies["EmpID"].Value;
> }
> I was checking the Request object if it was null, but referencing the
> Response object to get the value.  DUH!!!
> 
> Sorry for the bother and thanks for your help!!!
> S
> "Steve" wrote:
> 
>> Here's the code... as you can see I am setting the expiration date.
>> In the page load I'm looking for the cookie so my team doesn't have
>> to enter
>> their User ID every time.
>> I'm posting all the code just in case you see anything else I've left
>> out.
>> In the Page_Load event, the cookie is always null after they've
>> logged out.
>> 
>> Thanks for your quick reply! Let me know if you see anything else I
>> may have
>> missed.
>> S
>> protected void Page_Load(object sender, EventArgs e) {
>> if (!IsPostBack) {
>> if (Request.Cookies["EmpID"] != null) {
>> Login1.UserName = Response.Cookies["EmpID"].Value;
>> }
>> }
>> }
>> protected void Login1_LoggedIn(object sender, EventArgs e) {
>> if (Login1.RememberMeSet) {
>> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
>> cook.Expires = DateTime.Now.AddYears(1);
>> Response.Cookies.Add(cook);
>> }
>> }
>> "Scott M." wrote:
>> 
>>> How are you setting your cookies?  If you aren't providing a good
>>> expiration date, the cookies will become "session" cookies, which
>>> only last as long as the session does.
>>> 
>>> "Steve"  wrote in message
>>> news:E9214842-68D0-45D5-AEF9-5A09D0C8522A@microsoft.com...
>>> 
>>>> I'm using forms authentication with my .net 2.0 site.
>>>> I'm setting some cookies after the user logs in, and as long
>>>> as they stay logged in I can "see" the cookies on subsequent posts.
>>>> The problem is that as soon as the user logs out, the cookies are
>>>> gone.
>>>> I know ASP will expire the Ticket cookie, but does it expire
>>>> all other cookies too?
>>>> Anyone else ever experience this?  Is it by design?
>>>> 
>>>> Thanks!
>>>> S

> I was checking the Request object if it was null, but referencing the
> Response object to get the value.  DUH!!!


Actually you were doing it the other way around!

This isn't a public web site, only internal to our intranet, and it's only 
being used by people on my team, so security concerns of this nature aren't 
paramount.
Forms authentication for this app is used more as a way of establishing ID 
vs security.

Thanks for the heads up though.....

"Dominick Baier" wrote:


> What happens if someone manually changes the empid cookie on the client?
> 
> Will that bring your app in trouble (maybe even security trouble) ?
> 
> 
> -----
> Dominick Baier (http://www.leastprivilege.com)
> 
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
> 
> > HA! Do I feel like an idiot:
> > if (Request.Cookies["EmpID"] != null) {
> > Login1.UserName = Response.Cookies["EmpID"].Value;
> > }
> > I was checking the Request object if it was null, but referencing the
> > Response object to get the value.  DUH!!!
> > 
> > Sorry for the bother and thanks for your help!!!
> > S
> > "Steve" wrote:
> > 
> >> Here's the code... as you can see I am setting the expiration date.
> >> In the page load I'm looking for the cookie so my team doesn't have
> >> to enter
> >> their User ID every time.
> >> I'm posting all the code just in case you see anything else I've left
> >> out.
> >> In the Page_Load event, the cookie is always null after they've
> >> logged out.
> >> 
> >> Thanks for your quick reply! Let me know if you see anything else I
> >> may have
> >> missed.
> >> S
> >> protected void Page_Load(object sender, EventArgs e) {
> >> if (!IsPostBack) {
> >> if (Request.Cookies["EmpID"] != null) {
> >> Login1.UserName = Response.Cookies["EmpID"].Value;
> >> }
> >> }
> >> }
> >> protected void Login1_LoggedIn(object sender, EventArgs e) {
> >> if (Login1.RememberMeSet) {
> >> HttpCookie cook = new HttpCookie("EmpID", Login1.UserName);
> >> cook.Expires = DateTime.Now.AddYears(1);
> >> Response.Cookies.Add(cook);
> >> }
> >> }
> >> "Scott M." wrote:
> >> 
> >>> How are you setting your cookies?  If you aren't providing a good
> >>> expiration date, the cookies will become "session" cookies, which
> >>> only last as long as the session does.
> >>> 
> >>> "Steve"  wrote in message
> >>> news:E9214842-68D0-45D5-AEF9-5A09D0C8522A@microsoft.com...
> >>> 
> >>>> I'm using forms authentication with my .net 2.0 site.
> >>>> I'm setting some cookies after the user logs in, and as long
> >>>> as they stay logged in I can "see" the cookies on subsequent posts.
> >>>> The problem is that as soon as the user logs out, the cookies are
> >>>> gone.
> >>>> I know ASP will expire the Ticket cookie, but does it expire
> >>>> all other cookies too?
> >>>> Anyone else ever experience this?  Is it by design?
> >>>> 
> >>>> Thanks!
> >>>> S
> 
> 
>