hi we are using FormsAuthentication.SetAuthCookie(profile.Id, false);
Now the question is when does this cookie expires?
It of course expires once I close all the browsers but it doesn't I keep the browser open and I don't know the timelimit.
It will depend on the Timeout property in web.config.
In the system.web attribute of your web.config file, you must set the following:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
then your cookie will expire depending on the value you have set in the timeout attribute.
Related
Is it possible to check when a cookie is due to expire? I have tried the following:
First I set three cookies:
<cfcookie name="test1" value="" expires="10" />
<cfcookie name="test2" value="" expires="never" />
<cfcookie name="test3" value="" expires="now" />
Then on another page I check the cookie data:
<cfset cookies = getPageContext().getRequest().getCookies()>
<Cfoutput>
<cfloop index="c" array="#cookies#">#c.getName()#:#c.getMaxAge()#<br>
</cfloop>
</Cfoutput>
However MaxAge returns -1 for all cookies instead of the actual expiration date. How can I get the actual expiration date?
Attempting to answer this question (only because this is a ColdFusion question and I thought it would be rude to mark this a duplicate of a Java question without discussing it.) without completely plagiarizing this Java answer.
getPageContext().getRequest().getCookies() this basically gets you the cookies that were sent to the server by the browser. The browser only sends back the name and value of the cookie. So once the cookie is set, there is no way for the server to know when that Cookie is going to expire. You might need to save the cookie expiry on the server side when you are setting it.
I have Sitecore 6.6 installed. I wanted to add a new domain to Sitecore; Since my Sitecore instance is deployed in two servers with two Sitecore sites in each pointing to different web databases but same core, master and analytics databases, I couldn't do it using Sitecore Domain manager.So I thought of doing it manually by editting the App_Config\Security\domains.config in the server. The following was the domains.config that I had.
<?xml version="1.0" encoding="utf-8"?>
<domains xmlns:sc="Sitecore">
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" defaultProfileItemId="{AE4C4969-5B7E-4B4E-9042-B2D8701CE214}" />
<domain name="default" isDefault="true" />
<sc:templates>
<domain type="Sitecore.Security.Domains.Domain, Sitecore.Kernel">
<ensureAnonymousUser>true</ensureAnonymousUser>
<locallyManaged>false</locallyManaged>
</domain>
</sc:templates>
<domain name="Station" defaultProfileItemId="{F181ED3D-F342-46E6-B6F6-2A6A6173B513}" />
<domain name="Emailcampaign" />
</domains>
I added one more domain(MyDomain) at the end like below.
<?xml version="1.0" encoding="utf-8"?>
<domains xmlns:sc="Sitecore">
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" defaultProfileItemId="{AE4C4969-5B7E-4B4E-9042-B2D8701CE214}" />
<domain name="default" isDefault="true" />
<sc:templates>
<domain type="Sitecore.Security.Domains.Domain, Sitecore.Kernel">
<ensureAnonymousUser>true</ensureAnonymousUser>
<locallyManaged>false</locallyManaged>
</domain>
</sc:templates>
<domain name="Station" defaultProfileItemId="{F181ED3D-F342-46E6-B6F6-2A6A6173B513}" />
<domain name="Emailcampaign" />
<domain name="MyDomain" />
</domains>
As soon as I did that, Sitecore.Context.User.IsAuthenticated started returning true for extranet\Anonymous user(Non-logged in user) in the code.
Has anyone faced this issue before?
Please let me know where am I going wrong.
I also encounted this issue back when I was working with Sitecore 6.6, I'm not certain if its an issue in later versions. Essentially when you modified your domains.config with the param ensureAnonymousUser set to true the Anonymous User for that domain, in this case Extranet, was created in the database - it may not have been until you changed that setting.
In Sitecore all non-logged in users view the site as the user *domain*/anonymous. As Sitecore's membership is based on .NET Membership it determines that the User is logged in as its using that account.
Therefore I recommend completing an additional check with your Sitecore.Context.User.IsAuthenticated to check if the username of User's account is *domain of site*/anonymous, Sitecore.Context.User.Name, if it is return false.
EDIT
I have confirmed Sitecore.Context.User.IsAuthenticated returning true for *domain*\Anonymous user has been fixed in Sitecore 8. Therefore you can use it to determine if the User is logged in and not using the *domain*\anonymous account.
We finally resolved this issue! This was caused by a fix we added to solve an issue we had with Sitecore ECM. The issue was that Sitecore used to log out as soon as we clicked on the message preview. So we followed the steps given in the below thread to fix the issue.
https://stackoverflow.com/a/30836600/4165670
But we were not testing for Anonymous user like it is done in the thread. We never pushed this code into Content Delivery site and when
we created the new domain, This code got pushed into the Content Delivery site with some other code.
Since we are setting the current user as the Active user in the code, it started showing that extranet\Anonymous user as the current user.
I am trying to delete a client-side cookie when I access a certain page. How to I do this? Even after using the code below, I'm unable to delete the client side cookie:
<cfcookie name="GIFT CAT" value="" expires="NOW" />
<cfset StructDelete(cookie, 'GIFTCAT', false)>
You need to make sure all attributes are the same as on the set cookie. So secure, domain and path specifically.
<cfcookie name="test1" value="1" domain="test.com" />
<cfcookie name="test1" value="" expires="now" />
doesn't work, but
<cfcookie name="test1" value="1" domain="test.com" />
<cfcookie name="test1" value="" domain="test.com" expires="now" />
does work.
(Expanded from comments)
It sounds like you are testing the cookie status incorrectly. You cannot do this in a single http request. The http response must be sent back to the browser for the client cookie to actually be deleted. That change will be reflected in the next http request.
when i keep the dump to see the result showing empty string
Also, if you review the ColdFusion documentation it states that expire="now" does not delete the corresponding variable [from] the Cookie scope of the active page). So if you delete a cookie, then dump the cookie scope on the same page, the deleted cookie will still exist. In your case the value will be an empty string.
Properly testing the behavior requires three requests:
Create the cookie:
<cfcookie name="GIFT_CAT" value="Created cookie at #now()#"/>. After running the script in your browser, "GIFT_CAT":
Exists in the CF cookie scope
Exists in browser cookies
Delete the cookie: <cfcookie name="GIFT_CAT" value="" expires="NOW" />. After running the script in your browser, "GIFT_CAT":
Still exists in the CF cookie scope (because expire does not delete it on the active page)
Does NOT exist in browser cookies (because the browser deletes the cookie after receiving the response)
Finally, verify the cookies: <cfdump var="#COOKIE#">. After running the script in your browser, "GIFT_CAT":
Does NOT exist in the CF cookie scope
Does NOT exist in browser cookies
I have a web application which uses CAS Ticket for user authentication purpose which is different for every login. I recorded the script in JMeter. Also I correlated the pages by filling up the Regular Expression Extractor as follows:
Recorded script has url: https://foo.com/j_spring_cas_security_check?ticket=ST-3101-QDTyjbbHoOHvgPMdRBIg-cas.
After applying all above I ran the script but got status fail displaying https://foo.com/j_spring_cas_security_check?ticket=Ticket_Not_Found.
It would be very helpful if someone could tell me what did I miss in my script?
There is two ways for this,
if you have multiple username and password and you can use those with Jmeter,
you can use those to generate CAS ST(Service ticket).
Another:
default when CAS create ticket, it can be just used for one time.
you have to change values in ticketExpirationPolicies.xml of your cas server
to use same ticket multiple times.
default location is:
WEB_INF/spring-configuration/ticketExpirationPolicies.xml
change this to if you want 50 users to use same ticket
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="100000" />
</bean>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>
Answer given by: VIVEK ADHIKARI
It seems that an error happened when fetching ticket value from url's parameter list. Maybe you can add a hidden field on your page and set its value from this parameter.
<input type="hidden" id="ticket_key" value="ST-3101-QDTyjbbHoOHvgPMdRBIg-cas" />
Then you can get it by Regular Extractor ticket_key=(.+)
Hope it helps.
<authentication mode="Forms">
<forms name="ASPAuth"
path="/Admin"
timeout="20"
requireSSL="false"
slidingExpiration="true" />
</authentication>
On my dev system I have the above in my web.config. This works fine if I am using VS web server. But when I host the same website on my IIS7 using a virtual directory it doesn't.
VS Url looks like: http://localhost:xxxx/
IIS URL looks like: http://MachineName/MyApp/.
When accessing the website through IIS the IsAuthenticated is always false. I figured out that it's because the cookie is being assigned to http://MachineName/Admin/ not http://MachineName/MyApp/Admin.
How I make it so that "Admin" is a relative path? I tried path="~/Admin" but that doesn't work.
Thanks!
Try putting a transformation into your Web.Release.Config:
<authentication mode="Forms">
<forms name="ASPAuth"
path="/MyApp/Admin"
timeout="20"
requireSSL="false"
slidingExpiration="true"
xdt:Transform="Replace"
xdt:Locator="Match(key)"/>
</authentication>
Answer:
It's simply not possible to do it at this stage. You cannot have a relative path with a tilda (~) in your web.config for forms authentication path unless you're willing to write your own HttpModule.
See this post (and the comments):
http://www.west-wind.com/weblog/posts/2008/Jan/20/Forms-Authentication-and-path-in-the-forms-Tag