Menu
How long can I use a session cookie? I have a client application where I authenticated to a SharePoint site and I am using the cookies for navigating through the subsites. I am saving the cookie and reusing the headers to login to the site at a later point without authenticating again. There is no expiration date set. How long will the cookie last and when should I authenticate back again?
723
Yes the Session cookie expires. In addition to the 30 minute default timeout (if the visitor is idle for 30 minutes) the 'Session ID' cookie will expire at the end of an internet browser session.
Session cookies will only stay on your device until you close your browser. Persistent cookies stay on your computer or mobile device until they expire or are deleted.
If you want to keep the session even if the browser is closed then you need to use persistent cookies which are stored on the user computer rather than HTTP only cookies. Show activity on this post. The best way is to keep cookie in browser,but encrypted.
Cookies can last as long as their creator wants them to. The duration can be set when cookies are created. While session cookies are destroyed when the current browser window is closed, they can also persist for long after the page is closed.
The expiration of session cookies varies from browser to browser. I was unable to find any kind of reference giving the current specifics per browser. It used to be that session cookies would be destroyed when the browser was closed, but some browsers now have settings that, if enabled, will cause session cookies to persist past the browser being closed. For example, Firefox's "When Firefox starts: Show my windows and tabs from last time" will cause this to happen, somewhat surprisingly. The same goes for, "On startup: Continue where I left off" in Chrome.
I don't really care for SharePoint so I haven't used it in a while, but as I recall it uses ASP.Net Forms Authentication, pulling the configuration from the web.config just like any other ASP.Net site. That being said, you're not really concerned with the timeout of your cookie. What you care about is the timeout of your server-side session token - that is to say, how long the data contained in said cookie will be recognized by the server. That is set by the timeout property in the forms tag of the web.config file for an ASP.Net app:
<system.web>
<!-- ... -->
<authentication mode="Forms">
<forms timeout="2880" />
</authentication>
<!-- ... -->
</system.web>
If there's no expire it's going to be around until the browser is killed. Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won't understand when it's logged out until a page refresh happens and sensitive data can be exposed. You'll see this implementation on any online banking site.
(Edit to clarify from downvote) Session cookies do, in fact, stay around until the browser is closed. You can look it up here: http://www.allaboutcookies.org/cookies/cookies-the-same.html
The above answer is also correct in that some newer browsers will recover session cookies after a crash/close.
@Grinn, you do bring up a good point able the Ticket. When using ASP.Net Forms auth, an encrypted Ticket is placed within the session cookie. They cookie can still be in place as far as the browser is concerned, but if the datestamp inside the ticket is expired, it will be considered invalid.
If you're using some semblance of Forms auth with Sharepoint, you should probably just write your own membership provider that can crack the Ticket in the cookie, but disregard if the datestamp is expired. Building Custom Membership Provider
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
