Persistent cookie timeout with FormsAuthentication

Asked 7/10, 2011 at 0:18 Answered 15/12, 2015 at 14:25

Solved asp.net cookies forms-authentication remember-me

I am creating some "Remember Me" functionality as part of logging in.

When I create a persistent cookie during the login process with the following:

FormsAuthentication.SetAuthCookie("someusername", true);

And my Web.Config looks as follows:

<authentication mode="Forms">
  <forms loginUrl="~/sign-in" timeout="2880" />
</authentication>

How long will the cookie be valid for before the user will be asked to provide their login details again? Also, Is there/What is the default length of time used when setting a persistent cookie?

Striated answered 7/10, 2011 at 0:18 Comment(0)

I found the answer I was looking for thanks to this article:

Dan Sellers's WebLog

where he states:

in ASP.NET 2.0 the timeout value of both persistent and session based cookies are controlled by the timeout attribute on the<forms/>element

So in my example the persistent cookie will expire in 48 hours.

Striated answered 7/10, 2011 at 9:11 Comment(2)

It was a change from .NET 1.1 to 2: "Note Under ASP.NET V1.1 persistent cookies do not time out, regardless of the setting of the timeout attribute. However, as of ASP.NET V2.0, persistent cookies do time out according to the timeout attribute." Good find. Should be noted that if you create the auth ticket in code with different values, it will trump the setting in the web.config... incase you need that flexibility. – Whereinto 7/10, 2011 at 13:30

The important part being that if you're old like me and remember passing "true" as that second argument seemingly keeping you logged in forever, you were right - it set the cookie for 5 years. Now if you pass that and don't set the timeout value, it defaults to "30" - which is just 30 minutes. Quite the drop from 5 years, which would be <forms timeout="2628000">. – Carrack 22/4, 2014 at 22:3

timeout is mentioned in your authentication module as:

<forms loginUrl="~/sign-in" timeout="2880" />

timeout="2880". This 2880 value is given in minutes. So if you divide 2880 by 60, you get 48 hours which is answer to your question. Users will have to provide their login credentials again after 48 hours period expires.

Hope it helps.

Teniafuge answered 15/12, 2015 at 14:25 Comment(1)

Maximun value for timeout ? For HttpSessionState.Timeout is 525,600 minutes (1 year) – Carnage 11/12, 2018 at 12:16

-2

I believe the persistent cookie is valid indefinitely (unless the user clears their browser cookies of course). The timeout attribute just tells forms authentication how long to keep the session active.

Take a look here:

Cookie Confusion with FormsAuthentication.SetAuthCookie() Method

Whereinto answered 7/10, 2011 at 0:55 Comment(1)

Differences: slidingExpiration vs time Expiration vs Persistent cookie ? – Carnage 11/12, 2018 at 12:28

Recommended topics

Hot tags