Langkau ke kandungan utama
Microsoft
Sokongan Microsoft
  • Windows
  • Surface
  • Xbox
  • Sokongan
      • Outlook
    • PC dan peranti
      • Permainan Windows
      • Microsoft 365
      • .NET
      • Dokumen
      • Pendidikan
    0
    Daftar masuk
    Sokongan Microsoft

    Understanding the Forms Authentication Ticket and Cookie

    Kandungan disediakan oleh Microsoft

    Kandungan disediakan oleh Microsoft

    Diguna pakai untuk: Microsoft ASP.NET 1.1


    ASP.NET Support Voice Column


    Understanding the Forms Authentication Ticket and Cookie

    To customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It form. There's also a link to the form at the bottom of this column.

    Introduction

    Welcome to the Microsoft ASP.NET Support Voice column! I am Nilay B. Shah with the ASP.NET developer support team. I have been working with ASP.NET support for more than one and a half years. Forms Authentication is really a cool authentication feature. This article covers some issues that users have found confusing with forms authentication, such as the relationship of the forms authentication ticket and the forms authentication cookie and their relevant settings. I would like to thank Jerry Orman, technical lead for the ASP.NET support team, for his incredible help!

    People sometimes wonder about forms authentication "tickets" and "cookies" because they are closely related. I have come across questions such as these: Can anyone explain the difference between the cookie expiration and the ticket expiration? When the cookie expires, the user will be redirected to the logon page. What happens when the ticket expires? Will it also make the cookie expire? What does SlidingUpdate actually update?

    I will focus on these two aspects of Forms Authentication in this article to answer the following questions:
    • What is forms authentication ticket and forms authentication cookie? How are they related?
    • What is the role of a ticket in Forms Authentication?
    • How are cookie expiration and ticket expiration related?
    • How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?
    • Where can the time-out property of the forms authentication cookie and forms authentication ticket be set?
    • Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file

    What is forms authentication ticket and forms authentication cookie? How are they related?

    Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

    However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an encrypted format. Cookieless forms authentication is used because sometimes the client browsers block cookies. This feature is introduced in the Microsoft .NET Framework 2.0.

    For more information, visit the following Microsoft Developer Network (MSDN) Web site:
    http://msdn2.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.cookieless.aspx

    What is the role of a ticket in Forms Authentication?

    The forms authentication ticket is used to tell the ASP.NET application who you are. Thus, ticket is building block of Forms Authentication's security.

    The ticket is encrypted and signed using the <machineKey> configuration element of the server's Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the <machineKey> element to encrypt forms authentication tickets. The decryption attribute lets you specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering with the ticket value is determined by a failure to decrypt the ticket on the server. As a result, the user will be redirected to the logon page.


    If the application is deployed in a Web farm, you must make sure that the configuration files on each server share the same value for the validationKey and decryptionKey attributes in the <machineKey> tag, which are used for hashing and decryption of the ticket respectively. You must do this because you cannot guarantee which server will handle successive requests. For more information about FormsAuthenticationTicket encryption and Web farm deployment considerations, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/ms998288.aspx
    A walk through of methods to manually generate keys can be found in the following Microsoft Knowledge Base articles:
    312906 How to create keys by using Visual C# .NET for use in Forms Authentication

    313091 How to create keys by using Visual Basic .NET for use in Forms Authentication

    Forms authentication tickets can be generated manually by using the FormsAuthenticationTicket class. For more information, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

    How are cookie expiration and ticket expiration related?

    In case of non-persistent cookie, if the ticket is expired, cookie will also expire, and the user will be redirected to the logon page. On the other side, if the ticket is marked as persistent, where the cookie is stored on the client box, browsers can use the same authentication cookie to log on to the Web site any time. However, we can use the FormsAuthentication.SignOut method to delete persistent or non-persistent cookies explicitly.

    For more information about the FormsAuthentication.SignOut method, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
    With cookieless forms authentication, if the browser is closed, the ticket is lost and a new ticket will be generated on the next request.

    How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?

    Sliding expiration works exactly the same way!

    Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.

    Note If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. Fore example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.

    For more information, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/1d3t3c61(vs.71).aspx

    Where can the time-out value of the forms authentication cookie and forms authentication ticket be set?

    The only setting that you can make is in the Web.config file or the Machine.config file, in the <forms> tag. This change will determine the time-out period of forms authentication in the context of a ticket or cookie unless the ticket is generated manually.

    <!--
    forms Attributes:
    name="[cookie name]" - Sets the name of the cookie used for Forms Authentication.
    loginUrl="[url]" - Sets the URL to redirect client to for authentication.
    protection="[All|None|Encryption|Validation]" - Sets the protection mode for data in cookie.
    timeout="[minutes]" - Sets the duration of time for cookie to be valid (reset on each request).
    path="/" - Sets the path for the cookie.
    requireSSL="[true|false]" - Should the forms authentication cookie be sent only over SSL?
    slidingExpiration="[true|false]" - Should the forms authentication cookie and ticket be reissued if they are about to expire?
    -->
    For more information, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx
    If the ticket is generated manually by using the FormsAuthenticationTicket class, the time-out can be set through the Expiration attribute. This value will override the timeout attribute value specified in configuration files.

    For more information about FormsAuthenticationTicket members, visit the following MSDN Web site:
    http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket_members.aspx

    Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file

    If the forms authentication ticket is manually generated, the time-out property of the ticket will override the value that is set in the configuration file. Therefore, if that value is less than the value in the configuration file, the forms authentication ticket will expire before the configuration file timeout attribute value and vice-versa. For example, let's assume that the <forms>timeout attribute is set to 30 in the Web.config file and the Expiration value of the ticket is set to 20 minutes. In this case, the forms authentication ticket will expire after 20 minutes and the user will have to log on again after that.

    Related links

    910439 Troubleshoot Forms Authentication

    891032 Troubleshooting ASP.NET

    301240 How to implement forms-based authentication in your ASP.NET application by using C# .NET

    308157 How to implement forms-based authentication in your ASP.NET application by using Visual Basic .NET

    I hope you found this information helpful in easing some of the confusion involved with ASP.NET forms authentication ticket and cookie. Remember, the Support Voice columns are for you! As always, feel free to submit ideas on topics you want addressed in future columns or in the Microsoft Knowledge Base using the
    Ask For It form.

    Kali Terakhir Dikemas Kini: Aug 16, 2012
    • E-mel
    • Cetak
    Terima kasih! Maklum balas anda akan membantu kami memperbaiki pengalaman sokongan.

    Support

    Support

    • Cari muat turun
    • Account support
    • Supported products list
    • Microsoft Lifecycle Policy

    Security

    Security

    • Safety & Security Center
    • Download Security Essentials
    • Malicious Software Removal Tool

    Contact us

    Contact us

    • Hubungi Sokongan Microsoft
    • Privacy questions
    • Locate Microsoft addresses worldwide
    This site in other countries/regions
    Algérie - Français
    Argentina - Español
    Australia - English
    Belgique - Français
    België - Nederlands
    Bolivia - Español
    Bosna i Hercegovina - Hrvatski
    Brasil - Português
    Canada - English
    Canada - Français
    Chile - Español
    Colombia - Español
    Costa Rica - Español
    Crna Gora - Srpski
    Danmark - Dansk
    Deutschland - Deutsch
    Dominican Republic - Español
    Ecuador - Español
    Eesti - Eesti
    El Salvador - Español
    España - Español
    Estados Unidos - Español
    France - Français
    Guatemala - Español
    Hong Kong SAR - English
    Hrvatska - Hrvatski
    India - English
    Indonesia (Bahasa) - Bahasa
    Ireland - English
    Italia - Italiano
    Latvija - Latviešu
    Lietuva - Lietuvių
    Luxembourg - Français
    Magyarország - Magyar
    Malaysia - English
    Maroc - Français
    México - Español
    Nederland - Nederlands
    New Zealand - English
    Norge - Bokmål
    Panamá - Español
    Paraguay - Español
    Perú - Español
    Philippines - English
    Polska - Polski
    Portugal - Português
    Puerto Rico - Español
    România - Română
    Schweiz - Deutsch
    Singapore - English
    Slovenija - Slovenščina
    Slovensko - Slovenčina
    South Africa - English
    Srbija - Srpski
    Suisse - Français
    Suomi - Suomi
    Sverige - Svenska
    Tunisie - Français
    Türkiye - Türkçe
    United Kingdom - English
    United States - English
    Uruguay - Español
    Venezuela - Español
    Việt Nam - Tiếng việt
    Ísland - Íslenska
    Österreich - Deutsch
    Česká Republika - Čeština
    Ελλάδα - Ελληνικά
    България - Български
    Казахстан - Русский
    Россия - Русский
    Україна - Українська
    ישראל - עברית
    الإمارات العربية المتحدة - العربية
    المملكة العربية السعودية - العربية
    مصر - العربية
    भारत - हिंदी
    ไทย - ไทย
    中国 - 简体中文
    台灣 - 繁體中文
    日本 - 日本語
    香港特別行政區 - 繁體中文
    대한민국 - 한국어
    Bahasa Melayu (Malaysia)
    • Terms of use
    • Privacy & cookies
    • Trademarks
    • © Microsoft 2018
    ERROR: at System.Diagnostics.Process.Kill() at Microsoft.Support.SEOInfrastructureService.PhantomJS.PhantomJSRunner.WaitForExit(Process process, Int32 waitTime, StringBuilder dataBuilder, Boolean isTotalProcessTimeout)New URL: about:blank