[Mono-bugs] [Bug 63558][Wis] New - FormsAuthenticationTicket expiration

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Fri, 20 Aug 2004 14:38:40 -0400 (EDT)


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by jpease@twcny.rr.com.

http://bugzilla.ximian.com/show_bug.cgi?id=63558

--- shadow/63558	2004-08-20 14:38:40.000000000 -0400
+++ shadow/63558.tmp.31156	2004-08-20 14:38:40.000000000 -0400
@@ -0,0 +1,72 @@
+Bug#: 63558
+Product: Mono: Class Libraries
+Version: unspecified
+OS: 
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Wishlist
+Component: Sys.Web
+AssignedTo: mono-bugs@ximian.com                            
+ReportedBy: jpease@twcny.rr.com               
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: FormsAuthenticationTicket expiration
+
+Description of Problem:
+Using forms authentication, the ticket fails to expire when expiration time
+is reached.  Instead, the ticket is renewed.
+
+Steps to reproduce the problem:
+1. Modify authtest/web.config (from xsp source) and add a quick timeout to
+<forms> (I used timeout="2").  View index.aspx, which requires
+authentication via login.aspx.
+2. Wait for timeout to be reached.
+3. Refresh index.aspx.
+
+Actual Results:
+The .MONOAUTH cookie's authentication ticket value is updated with a new
+IssueDate and Expiration, and the index.aspx page is loaded.
+
+Expected Results:
+An expired authentication ticket, resulting in a redirect to the login.aspx
+page. 
+
+How often does this happen? 
+Always.
+
+Additional Information:
+
+The code had an unconditional call to RenewTicketIfOld.  It also didn't
+check for slidingExpiration from <forms>.  I added a check for Expired and
+SlidingExpiration in OnAuthenticateRequest (FormsAuthenticationModule.cs)
+to fix the bug and changed the expiration value in SetDates
+(FormsAuthentication.cs) to more accurately represent the msdn
+documentation.  Everything seems to work as expected now with the fix. 
+Here are the diffs:
+
+[...]# diff
+mcs-1.0.1/class/System.Web/System.Web.Security/FormsAuthentication.cs
+mcs-1.0.1/class/System.Web/System.Web.Security/FormsAuthentication.cs.OLD
+314c314
+<                       tNew.SetDates (now, now + (tOld.Expiration -
+tOld.IssueDate));
+---
+>                       tNew.SetDates (now, now - toExpiration + toIssue);
+
+[...]# diff
+mcs-1.0.1/class/System.Web/System.Web.Security/FormsAuthenticationModule.cs
+mcs-1.0.1/class/System.Web/System.Web.Security/FormsAuthenticationModule.cs.OLD
+82a83
+>
+84,87c85
+<                       if (ticket.Expired)
+<                               return;
+<                       if (config.SlidingExpiration)
+<                               ticket =
+FormsAuthentication.RenewTicketIfOld (ticket);
+---
+>                       ticket = FormsAuthentication.RenewTicketIfOld (ticket);