I am trying to implement a very basic Asp.net forms authentication mechanism for a MVC site. The problem I am getting is that my authentication cookie is being set to expire after one year whereas I don't want it to expire after such a long time. Here is some of my code:
web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2" />
</authentication>
controller
...
FormsAuthentication.SetAuthCookie(username, false);
...
I have found this answer (this question is similar but in my case timeout never occurs) but is this the only way to make the cookie expire or am I doing something wrong here?
When I view the cookie it is set to expire after one year even though it should expire after a couple of minutes, why?
What I want is somehow the user gets logged out after some time and I thought setting expiration in forms
tag would do the job?
Almost a month, 100 views and no answers after I have found a solution.
First, the timeout specified in the web.config
works only when the cookie is set as persistent i.e. a persistent cookie can also expire. Initially I wrongly assumed that a persistent cookie can not expire. In fact, my original code would have worked if I had always set the cookie to persistent.
Secondly, I believe there is no need for a membership provider to make Forms Authentication work as suggested in the comments above.
Here is how I now create a Authentication cookie:
HttpCookie authCookie = FormsAuthentication.GetAuthCookie(username, isPersistent);
if (!isPersistent)
{
//this is because if it was not set then it got
//automatically set to expire next year even if
//the cookie was not set as persistent
authCookie.Expires = DateTime.Now.AddMinutes(15);
}
Response.Cookies.Add(authCookie);
Please let me know if there is any alternate to this?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With