Home/ Questions/Q 8337637
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T04:21:29+00:00

I am generating a FormsAuthentication ticket, and storing it in a cookie, which I

  • 0

I am generating a FormsAuthentication ticket, and storing it in a cookie, which I use with the MVC AuthorizeAttribute to provide authorization. Right now, I’ve got it so the cookie doesn’t expire if I have a “stay signed in” checkbox checked, (I’m just changing the cookie.expires to now + 1 year, for testing purposes, when they’ve got it checked to stay signed in).

However, even though I set that the cookie is persistent when I create the ticket, the ticket still stops working after the timeout period.

Here’s the code where I create the AuthTicket:

var now = DateTime.UtcNow.ToLocalTime();
FormsAuthenticationTicket authTicket = new System.Web.Security.FormsAuthenticationTicket(1, username, now, now.Add(FormsAuthentication.Timeout), rememberMe, username, FormsAuthentication.FormsCookiePath);
string encryptedTicket = System.Web.Security.FormsAuthentication.Encrypt(authTicket);
return encryptedTicket;

That’s the same encryptedTicket that I set as a cookie. Anyone know how I can keep this ticket allowed past the FormsAuthentication timeout? Do I just have to manually mess with the FormsAuthentication Timeout time?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The amount of time the cookie sticks around is not the same as how long the login will stay valid. Basically, the persistent cookie is a ‘should this cookie stick around after the browser closes’ and is independent from how long is this login valid. You can use this to store the username for instance so that a user does not have to re-enter this information when they come back.

    If the cookie is valid, but the login has expired within the cookie, you will need to login again. If you want your login to last longer, you will need to extend the time on your <forms> tag in the web.config or you can do this in code, but then you need to recompile if you want to lengthen/shorten the expiration times.

    Here are some sites that explain a little further about these concepts:

    http://software-security.sans.org/blog/2012/04/05/forms-authentication-remember-me-its-hard-not-too

    Cookie Confusion with FormsAuthentication.SetAuthCookie() Method

    • 0