Menu

 

Thoughts on Software Engineering

About the ASP.NET Persistent Authentication Cookies Timeout

Most people using ASP.NET Form Authentication use the built-in <asp:Login> control that works fine but when we use a custom login form we have the follofing problem: the cookie expiration timeout in ASP.NET Forms Authentication for persistent and non-persistent sessions uses the same value. It is defined in Web.config in the timeout attribute of the <forms> tag and has default a value of 30 minutes. Thus but default if you login without “remember me” option, your maximal inactivity period will be 30 minutes. In the same time if you login with “remeber me” option, your cookie’s life will also be 30 minutes, which is obviously incorrect. If you put in Web.config very big session timeout, e.g. 50 years, persistent login will work well but the non-persistent login will not be limited to 30 minutes or so.

The above described problem is a well-known and documented design flaw in Microsoft ASP.NET Forms Authentication framework. The values for persistent timeout and non-persistent timeout obvisously should be designed to be separately definable but Microsoft failed to do this even after numerous discussions in the community groups, forums, blogs, etc.

Note that if you use the <asp:Login> control, and check “remember me”, the asp:Login control itself will set the cookie timeout to 50 years, but if you use a custom (self made) login form or different Web applications framework (not ASP.NET Web Forms), you will need to work around this well-documented bug. Typically I use the following code to workaround this problem:

private void PerformLogin(string username, string password, bool rememberMe, string returnUrl)
{
    if (Membership.ValidateUser(username, password))
    {
        HttpCookie authCookie = FormsAuthentication.GetAuthCookie(username, rememberMe);
        if (rememberMe)
        {
            // In case we have persistent cookie ("remember me" option checked), we need to set manually the cookie
            // expiration to 1 year after current date. The default expiration timeout is taken from Web.config
            // and is 30 minutes only (for both persistent and non-persistent cookies). This is well documented
            // design flaw in ASP.NET Forms Authentication framework and should be manually workarounded!
            authCookie.Expires = DateTime.Now.AddYears(1);
        }
        Response.CreateCookie(authCookie);
        Response.Redirect(returnUrl);
    }
    else
    {
        // Handle invalid login ...
    }
}
Previews (12,931), Views (8,982), Comments (4)