Home/ Questions/Q 1071223
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T20:41:00+00:00

In an ASP.NET MVC2 app, we have the standard login action… if (ValidateUser(model.Email, model.Password)

  • 0

In an ASP.NET MVC2 app, we have the standard login action…

if (ValidateUser(model.Email, model.Password)
{
  FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
  ...

where the second parameter to SetAuthCookie is createPersistentCookie with the following documentation:

createPersistentCookie
  Type: System.Boolean
    true to create a persistent cookie
    (one that is saved across browser sessions); otherwise, false.

We would like to have the persistent cookie expire after 2 weeks (i.e., a user could return to the site within 2 weeks and not be required to re-authenticate. After that time they would be asked to login again).

How do we set the expiration for the persistent cookie?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Can you not do this?

    <system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

    The timeout is in minutes.

    This timeout value is irrespective of whether or not you are creating a persistent cookie. It simply says that if you don’t explicitly terminate the cookie (FormsAuthentication.SignOut), it will automatically expire after the given time period.

    In other words, if you do:

    FormsAuthentication.SetAuthCookie(someMembershipName, false);

    Will result in the cookie expiring when:

    • The user closes the browser, or
    • The timeout is reached.

    As opposed to if you do:

    FormsAuthentication.SetAuthCookie(someMembershipName, true);

    Will result in the cookie only expiring when the timeout is reached.

    HTH

    EDIT:

    Take from MSDN:

    the timeout attribute is described as follows:

    Specifies the time, in integer
    minutes, after which the cookie
    expires. If the SlidingExpiration
    attribute is true, the timeout
    attribute is a sliding value, expiring
    at the specified number of minutes
    after the time that the last request
    was received. To prevent compromised
    performance, and to avoid multiple
    browser warnings for users who have
    cookie warnings turned on, the cookie
    is updated when more than half of the
    specified time has elapsed. This might
    cause a loss of precision. The default
    is “30” (30 minutes).

    Note Under ASP.NET V1.1 persistent
    cookies do not time out, regardless of
    the setting of the timeout attribute.
    However, as of ASP.NET V2.0,
    persistent cookies do time out
    according to the timeout attribute    .

    In other words, this expiration setting handles the Forms Authentication cookie only.

    The Forms Authentication cookie is a client-side cookie, it has nothing to do with other server-side session you may have (ie a Shopping Cart).

    That Session is expired with the following setting:

    <sessionstate 
      mode="inproc"
      cookieless="false" 
      timeout="20"
    • 0