ASPX auth cookie expiration time is always 30 minutes

Asked 27/3, 2012 at 12:18 Answered 17/9, 2015 at 10:5

I have set the the cookie expiration time to 1 month but when I look the expiration timeout of .ASPXAUTH cookie in browser it says 30 minutes ahead from now.

var ticket = new FormsAuthenticationTicket(1, "myname", DateTime.Now,
                                                        DateTime.Now.AddMonths(1), true, "test");
string ticketString = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticketString)
                 {
                     Expires = DateTime.Now.AddMonths(1),
                     Path = FormsAuthentication.FormsCookiePath
                 };
HttpContext.Current.Response.Cookies.Add(cookie);

Can you let me know why the above code is behaving so, I want to change the expiration time but it is always coming 30 minutes.

Bonnell answered 27/3, 2012 at 12:18 Comment(4)

where did you specify 1 month ? – Wondering 27/3, 2012 at 12:22

do you have any reason to manually create the authentication ticket? If you do it automatically you can handle expiration time trough web.config. – Isologous 27/3, 2012 at 12:28

V4Vendetta he does it here: "DateTime.Now.AddMonths(1)" To Rocky Singh, have you checked slidingExpiration="false" property? I'm guessing you aren't specifying it to false or it is absent. In this case, every request resets the Expiration to the default in Web.Config – Diastyle 27/3, 2012 at 12:30

I want to keep slidingExpiration to true along with overriding the expiration time too (which is 30 minutes by default) – Bonnell 27/3, 2012 at 12:44

Do you require to set this timeout programmatically or is it ok to set it in configuration file? There is a timeout parameter, which indicates authentication cookie timeout: http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

Default value of this parameter is 30 minutes.

Best regards, Dmitry

Pinnatisect answered 27/3, 2012 at 12:51 Comment(0)

With the advice from the other answers I got to this link.

Apparently, in ASP.NET it checks the expiration in the Web.config and doesn't take the expiration from the cookie. So you need to add to the config file inside <system.web>:

<authentication mode="Forms">
  <forms
 name=".ASPXAUTH"
 loginUrl="Login.cshtml" //your login page
 defaultUrl="Default.cshtml" //your default page
 protection="All" //type of encryption
 timeout="43200" //a month in minutes
 path="/"
 requireSSL="false"
 slidingExpiration="true" //Every refresh the expiration time will reset
 cookieless="UseDeviceProfile" //Use cookies if the browser supports cookies
 domain=""
 enableCrossAppRedirects="false">
    <credentials passwordFormat="SHA1" />
  </forms>
</authentication>

Marniemaro answered 17/9, 2015 at 10:5 Comment(0)

Check you web.config file, there should be FORM entry under following element system.web -> authentication .

check the timeout property there, is it set to 30 minutes?

remove this form authentication tag from there.

Zooplankton answered 27/3, 2012 at 13:1 Comment(2)

It is just <authentication mode="Forms"> <forms loginUrl="login.aspx"/> </authentication> – Bonnell 27/3, 2012 at 13:8

try to add domain to forms tag (any string), I had the same problem , I had to set it to 240 minutes, I made both the entry same in web.config and in code and added domain in form tag. I also made Application Pool timeout in IIS to 240 minutes. – Zooplankton 27/3, 2012 at 14:0

Recommended topics

Hot tags