Home/ Questions/Q 3361500
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T03:09:36+00:00

Using ASP.NET 2.0, with forms authentication. Just for a test, I configured the roles

  • 0

Using ASP.NET 2.0, with forms authentication.
Just for a test, I configured the roles cookie in web.config like this :

<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="2"></roleManager>

I wanted to see what would happen when the cached role cookie expired.
Using Fiddler, after 2 minutes had elapsed, I could see that the raw value of the role cookie had changed.

I was expecting that on expiry, that ASP.NET would simply re-read the roles information from the database, and repopulate the cookie with the same value. So my question is, why would the raw value of the cookie change after expiry ? The cookie value is not human-readable (base 64 encoded and/or encrypted ?), so I can’t tell if the information in it is the same, although the application still seems to work fine.

EDIT :

It looks like each time the roles are encrypted and cached in the cookie, it gets a different raw value.

e.g. if you run the following code :

    RolePrincipal rp = (RolePrincipal) User;
    string str = rp.ToEncryptedTicket();
    Label1.Text = str;

You get a different value each time.
So the behavior seems normal.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well the aspxroles cookie only pertains to role queries on the user. Unless you’re doing things with the roles that would cause it to function differently (web.config auth?) then you’re not going to see anything by expiring the cookie.

    Can you share your web.config and basic pages that you’re using to test this?

    Have you tried that particular configuration to see what changes after the expiration?

    <location path="img/logo.png">
    <system.web>
        <authorization>
            <deny users="?"/>
            <allow roles="CanSeeLogo"/>
        </authorization>
    </system.web>
</location>

    Based on the question edit:

    In my web.config under <configuration><system.web> I have this key:

    <machineKey decryption="AES" decryptionKey="{64bits random hex}" validation="SHA1" validationKey="{128 bits random hex}"/>

    I’m curious if you set that “manually” if you’ll have a constantly changing encrypted string. Also, this is set by default in your C:\Windows\Microsoft.Net\Framework\etc folders, but you can redefine it (obviously) in your web.config to override it per application. This also allows you to share the same cookie cross-app within your domain.

    Link to generate random hex strings

    https://www.grc.com/passwords.htm

    concat the first result from two page refreshes for the second one. Removing the web.config key later doesn’t impact your app negatively (of course it wouldn’t)

    • 0