To set a cookie so it expires at the end of the browsing session, simply OMIT the expiration parameter altogether.
If a cookie is valid and can be read by the domain, it will be passed along with the HTTP request to the domain that it originated from. If you want a cookie to expire at a specific time, you need to set an expiration date.
The Kind property of Expires is used to determine if the cookie is set to DateTimeKind.
The default time for a Cookie to expire is 30 minutes. The default Expires value for a cookie is not a static time, but it creates a Session cookie. This will stay active until the user closes their browser/clears their cookies. You can override this as required.
You're talking about a non-persistent cookie. By default asp.net sends cookies in that way. The main difference between them are that a persistent cookie has an expires value set.
So, if you don't want the cookie to persist, then do not set the expires value.
That said, the cookie will remain in memory until the browser is actually closed. Let's say they browse to your site and you set a non-persistent cookie. They do things and browse away. Later they, using the same browser instance, come back to your site. The cookie will still be there.
Now, if they closed the browser at any point, then the cookie would be flushed out.
Point is, don't set the expires header. Especially not to when the session date expires. Session dates are generally only 20 or so minutes in the future, but the expiration date rolls forward as the user browses through your site.
===== update =====
I used the following code for testing:
protected void Page_Load(object sender, EventArgs e) {
if (!Page.IsPostBack) {
HttpCookie c = Request.Cookies["test"];
if (c != null) {
Response.Write(String.Format("test value is {0} <br />", c.Value));
}
} else {
HttpCookie c = new HttpCookie("test");
c.Value = "HERE IT IS";
Response.Cookies.Add(c);
}
}
protected void Button1_Click(object sender, EventArgs e) {
Response.Write("clicked<br />");
}
the .aspx file simple had a button which fired that button1_click handler. When I initially browse to it using any of the latest browsers (ie, firefox, chrome) there is no cookie. After I click the button a cookie is set. Then I closed the browser completely, reopened and browsed back to the site. In all cases the cookie was gone.
It's important to note that these days you can't count on a session cookie being deleted when the user closes the browser. Both Chrome and Firefox made that change back in 2012 or so - see the various links at this answer.
Now, failing to delete session cookies strikes me as a terrible, horrible, no good, very bad security hole, not to mention a violation of every relevant RFC, but apparently our Google (and Mozilla) Overlords know better.
I'm not sure what the best workaround is, but the approach I'm taking is to reset the "Expires" property on the cookie to an hour in the future after each call. That's not precisely the desired behavior, but I think it's better than allowing crucial cookies to stick around basically forever.
Open to other suggestions or clarifications.
TimeOut
returns an int
, Expires
expects DateTime
, which is why that code will not compile. Setting the expiration date to date in the past immediately revokes the cookie, so that's probably not what you want. If you left the expiration date unused, the cookie would expire as soon as the user closed the browser.
If you want the cookie tied to the particular Session, why involve the cookie in the first place? You could certainly keep extending the cookie's expiration date each time the user extended the session by using your application, but that seems like unnecessary work. Just use Session.
Feel free to elaborate on the problem.
Do NOT use Login control, it makes it harder.
protected void btnLogin_Click(object sender, EventArgs e)
{
// Check user and password in database
bool isValidUser = ValidateUser(txtUsername.Text, txtPassword.Text);
// Set cookie to be not persistent - this means if the user closes the browser,
//autentification cookie will be deleted and the user is not longer logged
bool isPersistentCookie = false;
// Login user with the new username
FormsAuthentication.SetAuthCookie(txtUsername.Text, isPersistentCookie);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With