FormsAuth persistent cookies & 2.0 RTM

In ASP.NET 1.1 and 2.0 Beta2 persistent cookie that were placed using RedirectFromLoginPage and SetAuthCookie had a life time of 50 years. I wrote about that here.

In 2.0 RTM, this behaviour has changed. The timeout value of the <forms /> config element is used now. If you have set a 20 minutes timeout, the cookie expiration time will be set to 20 minutes, too.

Thats a good choice IMO; persistent cookies are dangerous, cookies with a nearly unlimited life time even more. Cookies containing a forms authentication ticket are completely self containing and can be easily replayed, even after years. Rudolph Aurajo wrote a paper about that here.

If you really want to persist the cookie (for a longer time than specified in the timeout attribute), you have to create the forms auth ticket yourself and set the cookie and expiration time manually now.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s