Home/ Questions/Q 7492937
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T16:40:13+00:00

I am using the built in Forms authentication in an MVC3 application. The issue

  • 0

I am using the built in Forms authentication in an MVC3 application. The issue I am currently facing is that the cookies slidingexpiration is not working.

The web.config file has the following line:

<forms loginUrl="/auth" name="authy" path="/" slidingExpiration="true" />

note:: I have declared slidingexpiration even though the default is true.

Within my code I am making use of the basic Membership Provider class with no extending or modification. My global.asax file is using the system default.

There is no point in adding a code example as this is just a base project with no extra code added. I am using the FormsAuthentication.SetAuthCookie(username, true); to set the cookies initially.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Quote from the documentation:

    Sliding expiration resets the expiration time for a valid
    authentication cookie if a request is made and more than half of the
    timeout interval has elapsed. If the cookie expires, the user must
    re-authenticate. Setting the SlidingExpiration property to false can
    improve the security of an application by limiting the time for which
    an authentication cookie is valid, based on the configured timeout
    value.

    2 very important things to notice in this quote:

    1. if a request is made
    2. half of the timeout interval ….

    You haven’t specified a timeout so the default value of 30 minutes will be used.

    Another important thing to notice in this quote:

    Setting the SlidingExpiration property to false can improve the
    security

    but I guess you don’t care about security since you have activated it.

    UPDATE:

    Here’s a full example illustrating the concept:

    Controller:

    public class HomeController : Controller
{
    public ActionResult Index()
    {
        FormsAuthentication.SetAuthCookie("foo", true);
        return View();
    }

    [Authorize]
    public ActionResult Foo()
    {
        return Json(User.Identity.Name + " is still authenticated", JsonRequestBehavior.AllowGet);
    }
}

    View:

    <script type="text/javascript">
    $(function () {
        (function () {
            var caller = arguments.callee.caller;
            window.setTimeout(function () {
                $.getJSON('@Url.Action("foo")', function (result) {
                    $('#msg').append($('<div/>', { text: result }));
                    caller();
                });
            }, 10000);
        })();
    });
</script>

<div id="msg"></div>

    web.config:

    <authentication mode="Forms">
    <forms 
        loginUrl="/auth" 
        name="authy" 
        path="/" 
        slidingExpiration="true" 
        timeout="1" 
    />
</authentication>

    No matter how long you stay on the Index view, the user will still be authenticated.

    • 0