Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Controlling the FormsAuthentication createPersistentCookie expiration

Tags:

asp.net

asp.net-mvc-2

In an ASP.NET MVC2 app, we have the standard login action...

if (ValidateUser(model.Email, model.Password)
{
  FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
  ...

where the second parameter to SetAuthCookie is createPersistentCookie with the following documentation:

createPersistentCookie
  Type: System.Boolean
    true to create a persistent cookie
    (one that is saved across browser sessions); otherwise, false.

We would like to have the persistent cookie expire after 2 weeks (i.e., a user could return to the site within 2 weeks and not be required to re-authenticate. After that time they would be asked to login again).

How do we set the expiration for the persistent cookie?

like image 384
Rob Avatar asked Sep 20 '10 04:09

Rob

1 Answers

Can you not do this?

<system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

The timeout is in minutes.

This timeout value is irrespective of whether or not you are creating a persistent cookie. It simply says that if you don't explicitly terminate the cookie (FormsAuthentication.SignOut), it will automatically expire after the given time period.

In other words, if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, false);

Will result in the cookie expiring when:

  • The user closes the browser, or
  • The timeout is reached.

As opposed to if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, true);

Will result in the cookie only expiring when the timeout is reached.

HTH

EDIT:

Take from MSDN:

the timeout attribute is described as follows:

Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision. The default is "30" (30 minutes).

Note Under ASP.NET V1.1 persistent cookies do not time out, regardless of the setting of the timeout attribute. However, as of ASP.NET V2.0, persistent cookies do time out according to the timeout attribute.

In other words, this expiration setting handles the Forms Authentication cookie only.

The Forms Authentication cookie is a client-side cookie, it has nothing to do with other server-side session you may have (ie a Shopping Cart).

That Session is expired with the following setting:

<sessionstate 
      mode="inproc"
      cookieless="false" 
      timeout="20"
like image 76
RPM1984 Avatar answered Oct 12 '22 20:10

RPM1984
Sign in to Comment

Related questions

redirect to another page if javascript is disabled [duplicate]
How to route a .aspx page in asp.net mvc 3 project?
Could not load the assembly 'App_Web_kh7-x3ka'. Make sure that it is compiled before accessing the page
Is (HttpContext.Current.User != null) enough to assume that FormsAuthentication has authenticated the user
Frequent Access Denied to Temporary ASP.NET Files
Advantages and disadvantages of using Ajax update panels in ASP.NET application
Page generation time - ASP.Net MVC
ASPNETCOMPILER : error ASPRUNTIME: Target Directory not empty
How to obtain the current time differences between two timezones
Reading C# dictionary in Javascript
Emailing to multiple recipients with html Mailto: not working
thread.sleep in asp.net
Error after deploying asp.net core app to azure
How do I (gracefully) shut down a worker service from within itself?
How do I remove a page from the browser history?
Set color of text in a Textbox/Label to Red and make it bold
How to toggle (hide/show) a table onClick of <a> tag in Javascript
Trying to get all roles in Identity
What is ViewState? How is it encoded? Is it encrypted? Who uses ViewState?
Dynamically set a hyperlink control's NavigateUrl property inline

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!