ASP.NET Updating the FormsAuthenticationTicket

Question

Hi, when a user logins into my site i create the following authenticate ticket:

// Create the authentication ticket
var authTicket = new FormsAuthenticationTicket(1, // Version
                    userName, // Username
                    DateTime.UtcNow,             // Creation
                    DateTime.UtcNow.AddMinutes(10080), // Expiration
                    createPersistentCookie, // Persistent
                    user.Role.RoleName + "|~|" + user.UserID + "|~|" + user.TimeZoneID); // Additional data

// Encrypt the ticket
var encTicket = FormsAuthentication.Encrypt(authTicket);

// Store the ticket in a cookie
HttpContext.Current.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket) { Expires = authTicket.Expiration });

Then in my Global.asax.cs file i have the following:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    // Get the authentication cookie
    var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];

    // If it exists then decrypt and setup the generic principal
    if (authCookie != null && !string.IsNullOrEmpty(authCookie.Value))
    {
        var ticket = FormsAuthentication.Decrypt(authCookie.Value);
        var id = new UserIdentity(ticket); // This class simply takes the value from the cookie and then sets the properties on the class for the role, user id and time zone id
        var principal = new GenericPrincipal(id, new string[] { id.RoleName });
        HttpContext.Current.User = principal;
    }
}

protected void Session_Start(object sender, EventArgs e)
{
    // If the user has been disabled then log them out
    if (Request.IsAuthenticated)
    {
        var user = _userRepository.Single(u => u.UserName == HttpContext.Current.User.Identity.Name);

        if (!user.Enabled)
            FormsAuthentication.SignOut();
    }
}

So far so good. The problem i have is that if an administrator changes a user's role or time zone then the next time they return to the site their ticket is not updated (if they selected remember me when logging in).

Here's my authentication settings incase it helps:

<authentication mode="Forms">
    <forms timeout="10080" slidingExpiration="true" />
</authentication>
<membership userIsOnlineTimeWindow="15" />

I've been reading up on slidingExpiration but as far as i can tell it only increases the expiration time and doesn't renew the contents of the cookie. I'd really appreciate it if someone could help. Thanks

Answer 1

I simply changed my Session_Start to:

// If the user is disabled then log them out else update their ticket
if (Request.IsAuthenticated)
{
    var user = _userRepository.Single(u => u.UserName == HttpContext.Current.User.Identity.Name);   

    if (!user.Enabled)   
        FormsAuthentication.SignOut();   
    else
        RenewTicket(); // This calls the same code to create the cookie as used when logging in
}