FormsAuthentication with enabled slidingExpiration is not returning a cookie in each request.
Asked Answered
S

2

5

I have a web application with FormsAuthentication and with slidingExpiration="true" in my web.config is not returning a cookie in each request, but when I see the HTTP transactions, I cannot see the webserver returning the AUTH cookie in each request.

Checking the docs, it should.

slidingExpiration Optional attribute. Specifies whether sliding expiration is enabled. Sliding expiration resets the active authentication time for a cookie to expire upon each request during a single session. This attribute can be one of the following values. Value Description True Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. False Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time the cookie was originally issued. The default is True.

Does anyone know why it is not working as expected?

Cheers.

Scever answered 26/9, 2011 at 11:18 Comment(0)
S
7

I have read this: http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net-security/2316/problem-with-slidingExpiration

In other words, if the elapsed time since ticket creation is greater then half the ticket timeout (in your scenario would be 1 minute) the the ticket won't be renewed. Otherwise a new ticket will be granted with a fresh timeout (2 mins in your case). Summarizing, if you hit your page after 1 minute, it won't extend your Forms session lifetime regardless your slidingExpiration setting.

It makes sense, but I cannot find any official source. So I will test it my self when I have some spare time.

Cheers.

Scever answered 27/9, 2011 at 14:49 Comment(3)
Couldn't answer fastest enough, the algorithm mentioned above can be flawed depending on your requirements.Gasper
Answer it and I am happy to mark your answer as correct :) Why could it be flawed? Thanks.Scever
Here is the MSDN link: msdn.microsoft.com/en-us/library/…Runofthemine
I
0

New Cookies will issue only when half of the time is elapsed from cookies creation and that is happening in your case.

Incest answered 13/3, 2013 at 7:33 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.