I am creating a HttpCookie in my AccountController during the login process like so
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
When model.RememberMe is false I notice that I am never logged out, even if I restart the browser. Shouldn't the session expire after 20 minutes or on closing the browser?
I also, during the authentication process, set a cookie to store Role information using this method. This also sets a non persistent cookie. Is this affecting the login cookie?
What I notice is that, when I deserialize my cookie in Global.asax.cs the HttpCookie has an expiration of DateTime.MinValue and the authTicket has an expiration of up to 20minutes in the future. If I let this time elapse I do not notice the user logs out, in fact something has renewed the cookie as the expiration date jumps 20minutes or so in the future - but I can't see this happening within my code!
Can anyone help explain what is happening?
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
var serializer = new JavaScriptSerializer();
var serializeModel = serializer.Deserialize<EMPrincipalSerializeModel>(authTicket.UserData);
if (!authTicket.Expired && serializeModel != null && HttpContext.Current.User.Identity.IsAuthenticated)
{
var newUser = new EMPrincipal(authTicket.Name);
newUser.Id = serializeModel.Id;
newUser.RealName = serializeModel.RealName;
newUser.Username = serializeModel.UserName;
HttpContext.Current.User = newUser;
}
}
}
