Web Connection
Allow re-defining the Authenticate() session cookie expiration date
Gravatar is a globally recognized avatar based on your email address. Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  All
  Jan 20, 2019 @ 10:20pm

Rick -

Within the wwProcess::Authenticate() method, there is the following code..

IF Request.IsChecked("WebLogin_chkRememberMe")
    *** Keep the cookie around
    THIS.oResponse.AddCookie(this.cSessionKey,Session.cSessionId,"/",MimeDateTime(DATE() + 5))	
ENDIF

It would be useful if the default of 5 days for the cookie expiration date could be #DEFINE'd in wconnect.h so it could easily be re-defined.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Jan 22, 2019 @ 03:33pm

Ok, finally had some time to look at this. Added wwProcess::nAuthenticationTimeoutMinutes which allows you to specify the timeout in minutes.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Jan 24, 2019 @ 05:33pm

Rick -

Added wwProcess::nAuthenticationTimeoutMinutes which allows you to specify the timeout in minutes.

Thanks for the new property. That will help me with a small personal project I'm converting to use all SQL data, as well as implementing the MVC pattern.

What is the cookie timeout for the Message Board? I had to Sign In today even though I last posted on January 21st and I last visited the support.west-wind.com site on the 22nd.

I guess the cookie expiration date doesn't update just by posting or visiting the site. I find that I have to Sign In frequently, even though I'm checking the board fairly often.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Marcel DESMET
  Mike McDonald
  Jan 25, 2019 @ 12:20am

Hello, my 2 cents .. cookies are linked to the browser

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Jan 25, 2019 @ 12:34am

The cookie is good for 7 days. No rolling renewals so after 7 days you'll have to log back in. I bumped this to 15 days because I see it also and it bugs me from time to time too.

As Marcel says if you use different browsers - especially two Chromium browsers (I use Brave and Chrome interchangeably a lot) - I think the cookies are specific to each. In my case I probably sometimes log in with Chrome or Brave adn then wonder why the time out is up 😃

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Jan 28, 2019 @ 07:20pm

Rick -

In wwProcess::Authenticate() there is a SET STEP ON statement.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Mar 4, 2019 @ 12:41pm

Rick -

The cookie is good for 7 days (changed to 15).

Has something more recently changed with the Message Board cookie timeout? I'm having to Sign In every day now, and actually multiple times today when I was testing my app while also waiting to reply to another message. That is, I started to Reply, but by the time I tried to post my message a while later, I was already logged out / expired.

It looks like the WWT cookie was set to expire maybe 20 minutes after my most recent login.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Mar 4, 2019 @ 01:03pm

Yes the way the cookie is process has changed, but the new cookie should be much longer.

Can you do a full refresh of your browser (Ctrl-Shift-F5) and perhaps clear out your cookies for west-wind.com. I've made this change about 2 weeks ago and since then I've not had to log in again. The timeout has been bumped to 25 days.

I use 3 different browsers on a regular basis and they all seem to work with logins sticking so I wonder what's different?

To troubleshoot this might help:

  • Use the Chrome (or whatever) dev tools (F12)
  • Find the Application tab, Cookies
  • Clear the wwt cookie
  • Come back to the message board (you should be logged out)
  • Sign back in
  • Check the cookies and see what the cookie expiration is

The only thing I can think of is that you had an old cookie to happened to be expiring as you were using the site.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Mar 4, 2019 @ 02:04pm

Rick -

OK, I disabled the (Chrome) browser cache and reloaded the page fully. Then I removed the wwt cookie, shut down the browser completely and went back to the initial message board page.

Before logging in, I checked my cookies, and wwt was there, with an expiration date of April 3rd (31 days out) with the current time.

After logging in, the same wwt cookie was there (that is, it had the same 16 digit value as before), but now it had an expiration date of March 4th (today) with the time set to 20 minutes out.

I went through this process twice with the same results.

One other difference - when first visiting the site after having deleted the cookie, it was set as HttpOnly, but once I logged in, it was not set as HttpOnly.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Mar 4, 2019 @ 08:33pm

It took some sleuthing to track this down - everything looked right, but there's a small bug in the wwPageResponse::AddCookie() method when you pass a preformatted MimeDate() it doesn't use it, but rather uses the default cookie timeout. Easy fix - I pass the expiration as a DateTime or number and now the cookie properly sets and should stay set for 30 days.

Give this another shot - sign out and sign back in then check your cookie. It should be a month out.

Fixed another related issue that comes up when re-authenticating while a session is still active - it wasn't using the cookie timeout for the re-auth, which resulted in a short cookie again. InitSession() now sets the cookie timeout for the process to ensure they are the same.

Thanks for your help - a couple of those were bugs in Web Connection.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Mar 5, 2019 @ 11:36am

Rick -

OK I tried this again - I deleted my WWT cookie and hit the message board. I got a cookie which was set to expire on April 4, 2019 (30 days out).

Then I logged in and had the same cookie value for WWT, but now it was set to expire on February 7, 2024 (five years out), and using HttpOnly this time.

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Mar 6, 2019 @ 02:14am

Hmmm... the long timeout cookie is the NEVER clause which is enabled, but also there is a 30 day timeout. I'm not sure how you're hitting the NEVER timeout. I've tried in a number of different ways but I can't get anything but the 1 month timeout now.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Mar 6, 2019 @ 09:59am

Rick -

I only get the 5 year expiration date if I check the "Remember me on this device" checkbox. If I don't check it, the cookie remains at the 30 day expiration date, and it remembers my login anyway - I can close my browser and go back to the site and I'm still logged in.

The login form has two inputs named "WebLogin_chkRememberMe". One is a 'hidden' input with a value of 'false', and the other is a 'checkbox' input with a value of 'true' (if checked). Both have the same name of "WebLogin_chkRememberMe".

I wonder if my browser (Chrome) is sending those formvars back in a different order than your browser, so you are seeing a different behavior?

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Mar 6, 2019 @ 12:50pm

Argh - yes found it.

My calculation for the timeout was based on seconds but the session timeout is given in minutes. The 5 years is 60 times what the timeout should have been 😃

Ok I think now this is fixed.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Mike McDonald
  Rick Strahl
  Mar 6, 2019 @ 05:02pm

Rick -

Yes, I'm seeing the correct cookie expiration dates now, and when I don't check the 'Remember me' checkbox, it expires in 20 minutes instead of 30 days as it was doing previously. All good..

- Mike McDonald

Gravatar is a globally recognized avatar based on your email address. re: Allow re-defining the Authenticate() session cookie expiration date
  Rick Strahl
  Mike McDonald
  Mar 6, 2019 @ 05:50pm

Thanks...

Although this is still not quite right. There should be no expiration date when the Remember Me setting is not set with the cookie set to expire with the browser session, but I think this is due to the default Session behavior in Web Connection which defaults to 20 minutes.

That needs more investigation and is a deeper (legacy) issue.

+++ Rick ---

© 1996-2019