I’m having a problem with a site where I’m using the ASP.NET SQL Membership Provider. Everything works correctly upon first login. I.e., the user is directed to the login page, and upon successful login, they are sent the original page they requested.
However, after they close the browser, and re-open it, the authentication cookie is still there. They can go straight to any page that requires authentication without logging in.
I have another site where I’m using the same membership provider, and it behaves differently. When I inspect the cookies in Firefox, the site with the problem has “Expires: Monday, April 26, 2010 2:23:50 PM” The site that is working correctly has “Expires: At end of session”.
The setting specifying the expiration time is the same for both sites:
authentication mode="Forms"
forms name=".MySite" protection="All" path="/"
loginUrl="mySite/login.aspx" slidingExpiration="true" timeout="30"
requireSSL="false"
authentication
(I removed the element delimiters in the code reference above, since it was messing up the editor)
Ultimately, I want the timeout to be 30 minutes, but I also want the cookie to expire when the user closes the browser. I don’t want it to sit active on the machine for 30 minutes. This is how it behaves on the other site I’m working on, and I’m not sure what the difference is.
Thanks
-Shane
Did you try setting the cookie persistence to false in the code on the login page that writes the cookie?
Example: