Forms Authentication permanent login option along with non persistant option with sliding expiration.

Question

Is there any way to configure Forms authentication that I can make the cookie and ticket persistent with an indefinite expiration while having a non persistent option that doesn't require setting the ticket timeout to be infinite?

Use case, checkbox "keep me logged in"

Checked
User gets persistent non session cookie with a ticket timeout of indefinite

Not checked
User gets session cookie with a ticket with a timeout of a few minutes with a sliding expiration renewal

Is it possible to have both? Or is the trade off of allowing the permanent login the requirement of setting the ticket timeout to be so large that a user with a session cookie will never be logged out until they close their browser?

Answer 1

You have two options:

1. Non persistent authentication cookie (no Expires property set). In this case the cookie will be stored only in browser's memory and will be lost once the browser is closed. The ticket can have either a fixed timeout or a timeout with a sliding expiration. Once the timeout is reached, despite that the cookie is still sent by the browser, the client will be logged off. For the sliding expiration to work the cookie is rewritten on every request because the ticket changes.
2. Persistent authentication cookie. In this case the cookie will be stored on the client's computer and will be sent as long as the Expires date is not reached. Same ticket Timeout rules apply here.