4

I'm using Forms Authentication fairly successfully, but have run into a strange issue. I've looked around the web, and haven't found the answer thus far.

I'm using some Javascript to determine when the current session is 60 seconds away from timing out, and if so - pop up a dialog box with a button which, if pressed, will extend the current FormsAuthentication ticket.

This is the code I'm using to renew the ticket. I'm simply add 5 minutes to the current expiration date of the ticket. But when I output the new expiration date, it's always under 5 minutes; normally 4 minutes and some seconds.

The code:

    string userID = HttpContext.Current.User.Identity.Name;
    HttpCookie cookie = FormsAuthentication.GetAuthCookie(userID, true);

    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);

    DateTime NEW_EXPIRY = DateTime.Now.AddMinutes(FormsAuthentication.Timeout.Minutes);

    FormsAuthenticationTicket newTicket = new FormsAuthenticationTicket(
        ticket.Version, 
        userID, 
        DateTime.Now,
        NEW_EXPIRY,
        ticket.IsPersistent,
        ticket.UserData,
        ticket.CookiePath);

    cookie.Value = FormsAuthentication.Encrypt(newTicket);

    if (ticket.IsPersistent) cookie.Expires = newTicket.Expiration;

    cookie.Secure = FormsAuthentication.RequireSSL;

    HttpContext.Current.Response.Cookies.Add(cookie);

So, here's an example output of the time differences:

The time stamp now = 16/01/2016 14:03:28 ticket expires=16/01/2016 14:07:49 (TOTAL SECONDS=261.0857244)

Why is it not resetting the expiration time to exactly 14:08:28?? I'm banging my head on the wall here...

andym0908
  • 151
  • 1
  • 1
  • 6
  • Is the site running locally, or on a server? – stuartd Jan 16 '16 at 14:10
  • I'm going out on a limb here - does your code perhaps take a variable number of seconds to get the `FormsAuthentication.Timeout` property? Possibly due to your IIS setup? My guess is that at runtime, `DateTime.Now` is read, then it takes some time to initialize and get the timeout, then that gets added to the now-out-of-date time... – Balah Jan 16 '16 at 14:35
  • @stuartd - it's running locally, but does the same on a server – andym0908 Jan 16 '16 at 16:06
  • @balah - I'm not sure there's any delay as such. The expiration time stamp is less than it should be. When I've output the value that's being applied to the FormsAuthentication ticket object, it's correct. However, upon encrypting it, and adding it to the Cookie response object, the value ends up being less than it should be, as in the example above. – andym0908 Jan 16 '16 at 16:12
  • Yeah it was a long shot in any case. What version of .NET are you using? – Balah Jan 16 '16 at 17:10
  • @Balah - I'm using framework 4.6 – andym0908 Jan 16 '16 at 17:22

1 Answers1

0

Ok so I still don't know why the expiration value from the FormsIdentity object is incorrect... so what I've done is passed the actual new expiration value (as a DateTime) back from the renewal method,and relied on that. So it seems that this value is correct, and that's the value I should be using to determine the real time out value.

Does that even make sense? I dunno, but it's working now!

andym0908
  • 151
  • 1
  • 1
  • 6