Send Forms Authentication Cookie with explicit samesite=none - asp.net

I have been able to do this transition for the session cookie but not for the login cookie
and I have the following web.config
<authentication mode="Forms">
<forms name="MyCookie" loginUrl="~/Login/login.aspx" timeout="30" slidingExpiration="true" cookieless="UseCookies" cookieSameSite="None" protection="All" requireSSL="true" defaultUrl="~/Login/DefaultRedirect.aspx" enableCrossAppRedirects="false" path="/" />
</authentication>
if I change cookieSameSite="None" to cookieSameSite="Lax" or strict. I can see that the change takes place, but it seems to still have the old behavior of not emiting the samesite value when set to None
I'm using .net framework 4.7.2 and have installed the server update that allowed me to do the session with samesite=none

turn out I was missing sameSite="None" <httpCookies
so now I have : <httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None" />
<authentication mode="Forms">
<forms name="MyCookie" loginUrl="~/Login/login.aspx" timeout="30" slidingExpiration="true" cookieless="UseCookies" cookieSameSite="None" protection="All" requireSSL="true" defaultUrl="~/Login/DefaultRedirect.aspx" enableCrossAppRedirects="false" path="/" />
</authentication>

Related

How can I get the value of forms loginurl at runtime?

I have this in my web.config:
...
<system.web>
<sessionState mode="InProc" timeout="30" cookieless="UseCookies" />
<authentication mode="Form">
<forms loginUrl="http://myurl" path="/" cookieless="UseCookies" slidingExpiration="true" requireSSL="true" />
</authentication>
...
How can I get the value of loginurl at runtime?
System.Web.Security.FormsAuthentication.LoginUrl
Gets the URL for the login page that the FormsAuthentication class
will redirect to.
Details at MSDN.

Authentication expires in ASP.NET MVC

I want to log a user into an ASP.NET MVC site, and the session expires abnormally quickly, in minutes. I want the session to hold for days instead. Authentication is done using System.Web.Security:
FormsAuthentication.Authenticate(username, password);
My web.config looks like this:
<system.web>
<customErrors mode="Off" />
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login"
name=".ASPXAUTH"
timeout="86400"
slidingExpiration="true"
defaultUrl="Day/ListDays"
path="/"
protection="All"
requireSSL="false"
cookieless="UseDeviceProfile"
domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="Clear">
<user name="user" password="-" />
</credentials>
</forms>
</authentication>
<sessionState mode="StateServer"
stateConnectionString="tcpip=loopback:42424"
cookieless="false"
timeout="300" />
</system.web>

How to Redirect page when session was expires

I use following code in web config but it doesn't works properly.Suggest your code for redirect when session expires
my code is:
<authentication mode="Forms">
<forms name="MyAuth" timeout="60" protection="All" loginUrl="Login.aspx" slidingExpiration="true" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="60" />
I use the following code:
<authentication mode="Forms">
<forms name="WhateverYourAuthNameIs" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" protection="All" path="/" cookieless="AutoDetect" timeout="2880" />
</authentication>
Perfectly working for me.
You can check for a session using Session["sessionName"] and see if it returns null and if it does just redirect them using Response.Redirect("login.aspx");
if(Session["sessionName"]==null)
{
Response.Redirect("Login.aspx");
}

.ASPXAUTH exprires so soon

I have these on my web.config of my root directory
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="60"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
But .ASPXAUTH cleared so soon (5 minutes I guess).
What is the probable reason?
Very often, it is because you rebuild the solution. The web server restarts and machineKey are regenerated.
So the cookie encrypted and signed by previous machineKey is invalid.
That's why you are forced to log out.
Here is a quick one for you.
https://stackoverflow.com/a/436053/280970

Increase life time for Asp.net authentication cookie

I used this following code to set authenticate cookie :
System.Web.Security.FormsAuthentication.SetAuthCookie(Profile.Email, true);
my question is how I can increase life-time for this authentication cookie ?
The timeout is set primarily in the web.config file, you can do it in code but I wouldn't advise it.
These are the default settings, you can see the timeout value that's specified in minutes.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
This is how to set that time up. (For instance, for two weeks expiration).
var cookie = FormsAuthentication.GetAuthCookie("user-name", false);
cookie.Expires = DateTime.UtcNow.AddDays(14);
Response.Cookies.Add(cookie);

Resources