forms-authentication

I'm using forms authentication in an ASP.NET application. I configure the FormsAuthenticationTicket to expire in 1 year but it actually expires after 1 hour or so. I can't figure out why. Here is all the code involved in the login process: public static bool Login(int id) { try { string securityToken = UserHelper.AuthenticateUser(id); DateTime expiryDate = DateTime.Now.AddYears(1); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, id.ToString(), DateTime.Now, expiryDate, true, securityToken, FormsAuthentication.FormsCookiePath); string encryptedTicket = FormsAuthentication

In a generic asp.net website with Membership , Roles and hashed passwords enabled, I would like to provide the administrators with impersonation so that they may browse the website as that user would. The website should function as if that user is logged on and then be able to revert to their own login. What is the best approach to achieve this? An example use-case: A website with two types of users: 'Buyer' and 'Admin'. The website provides a 'Purchase' button to buy something specifically provided to the user by the admins. i.e only that buyer can use the purchase button and make a payment.

I'm developing a C# MVC application and I can't seem to get the Authentication and Session timeouts to synchronize. I have a basic Forms Authentication setup and some limited session values. I set the Authentication timeout less than the session (28 minutes vs 30) but running against the development web server, the session will be wiped on a restart of the server but the authentication sticks around. I'm assuming that the authentication is being stored in a cookie that obviously survives the server restart. <authentication mode="Forms" > <forms loginUrl="~/Account/Login" timeout="28" /> <

OK, here's my code to create an authentication cookie: // get user's role List<UserType> roles = rc.rolesRepository.GetUserRoles(rc.userLoginRepository.GetUserID(userName)); List<string> rolesList = (from r in roles select r.ToString()).ToList(); string[] rolesArr = rolesList.ToArray(); // create encryption cookie FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, userName, DateTime.Now, DateTime.Now.AddDays(90), createPersistentCookie, String.Join(";",rolesArr) //user's roles ); // add cookie to response stream string encryptedTicket = FormsAuthentication.Encrypt

Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login server control on login.aspx. The details are as follows: The site is configured to use the SqlMembershipProvider The site denies all anonymous users Cookies are disabled The are obviously many things to consider regarding security but I am more interested in the zero code out of box experience that comes with the .net framework. If, for the sake of this question, the only attack points are the username/password textboxes in

I am in process of setting up my 1st MVC Web App. I know I need to provide a Forms Based Authentication model as well as I know I will be reusing it for multiple other internal web apps as well. All the documentation for MVC 5 Authentication, which I believe is all based on OWIN stuff, have it "baked" into a single web app using EF Code First no less. What I am trying is to have an another Web App that I strip everything out of except for the Account stuff and then try to "point" my web apps Authentication to that and have it return a "token", I'm guessing, of my Authenticated User and his/her