I have an asp.net mvc 3 site that with my own authorize attribute. When a user logs in I make a form Auth cookie
public void SetAuthCookie(string userName, string userData = "",int version = 1)
{
DateTime expiry = DateTime.UtcNow.AddMinutes(30);
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(version, userName, DateTime.UtcNow, expiry, false, userData, "/");
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {Path = "/"};
HttpContext.Current.Response.Cookies.Add(authCookie);
}
// AuthorizeAttribute
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
if (httpContext.User.Identity.IsAuthenticated)
{
return true;
}
return false;
}
So I go to my site login and wait for my site to timeout. I then do a request(it’s an ajax request) and it first goes through my attribute and httpContext.User.Identity.IsAuthenticated is still set to true even though I did not request to the server for 3 minutes
<authentication mode="Forms">
<forms loginUrl="~/Account"
protection="All"
name=".MySite"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
timeout="1"
/>
</authentication>
You are creating a cookie with 30 minutes timeout:
So you must wait 30 minutes before this cookie becomes invalid. The timeout of 1 minute that you specified in your web.config is ignored because you are manually creating the cookie with a 30 minutes timeout.
If you want to match the value from your web.config you could use the following: