views:

72

answers:

1

In an ASP.NET MVC2 app, we have the standard login action...

if (ValidateUser(model.Email, model.Password)
{
  FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
  ...

where the second parameter to SetAuthCookie is createPersistentCookie with the following documentation:

createPersistentCookie
  Type: System.Boolean
    true to create a persistent cookie
    (one that is saved across browser sessions); otherwise, false.

We would like to have the persistent cookie expire after 2 weeks (i.e., a user could return to the site within 2 weeks and not be required to re-authenticate. After that time they would be asked to login again).

How do we set the expiration for the persistent cookie?

+1  A: 

Can you not do this?

<system.web>
    <authentication mode="Forms">
          <forms timeout="21060"/>
    </authentication>
</system.web>

The timeout is in minutes.

This timeout value is irrespective of whether or not you are creating a persistent cookie. It simply says that if you don't explicitly terminate the cookie (FormsAuthentication.SignOut), it will automatically expire after the given time period.

In other words, if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, false);

Will result in the cookie expiring when:

  • The user closes the browser, or
  • The timeout is reached.

As opposed to if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, true);

Will result in the cookie only expiring when the timeout is reached.

HTH

EDIT:

Take from MSDN:

the timeout attribute is described as follows:

Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision. The default is "30" (30 minutes).

Note Under ASP.NET V1.1 persistent cookies do not time out, regardless of the setting of the timeout attribute. However, as of ASP.NET V2.0, persistent cookies do time out according to the timeout attribute.

In other words, this expiration setting handles the Forms Authentication cookie only.

The Forms Authentication cookie is a client-side cookie, it has nothing to do with other server-side session you may have (ie a Shopping Cart).

That Session is expired with the following setting:

<sessionstate 
      mode="inproc"
      cookieless="false" 
      timeout="20" 
RPM1984
@RPM1984: My understanding is that this timeout controls session expiration. Our session timeouts are on the order of 2 hours. It's not that we want the session to last for two weeks, but rather the "remember me" cookie to last for that time.
Rob
@Rob - see my edit, i think you're mistaken.
RPM1984
@RPM1984: Thanks for the follow-through. I'll do some testing with Firebug and session expiration and report back. In the meantime, +1 and I've accepted your answer. Thanks again.
Rob
@Rob: no worries, let me know if you find any probs (as we use the above setting and seems to work fine in all scenarios)
RPM1984