开发者

Controlling the FormsAuthentication createPersistentCookie expiration

In an ASP.NET MVC2 app, we have the standard login action...

if (ValidateUser(model.Email, model.Password)
{
  FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
  ...

where the second parameter to SetAuthCookie is createPersistentCookie with the following documentation:

createPersistentCookie
  Type: System.Boolean
    true to create a persistent cookie
    (one that is saved across browser sessions); otherwise, false.

We would like to have the persistent cookie expire after 2 weeks (i.e., a user could return to the site wit开发者_如何学Gohin 2 weeks and not be required to re-authenticate. After that time they would be asked to login again).

How do we set the expiration for the persistent cookie?


Can you not do this?

<system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

The timeout is in minutes.

This timeout value is irrespective of whether or not you are creating a persistent cookie. It simply says that if you don't explicitly terminate the cookie (FormsAuthentication.SignOut), it will automatically expire after the given time period.

In other words, if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, false);

Will result in the cookie expiring when:

  • The user closes the browser, or
  • The timeout is reached.

As opposed to if you do:

FormsAuthentication.SetAuthCookie(someMembershipName, true);

Will result in the cookie only expiring when the timeout is reached.

HTH

EDIT:

Take from MSDN:

the timeout attribute is described as follows:

Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision. The default is "30" (30 minutes).

Note Under ASP.NET V1.1 persistent cookies do not time out, regardless of the setting of the timeout attribute. However, as of ASP.NET V2.0, persistent cookies do time out according to the timeout attribute.

In other words, this expiration setting handles the Forms Authentication cookie only.

The Forms Authentication cookie is a client-side cookie, it has nothing to do with other server-side session you may have (ie a Shopping Cart).

That Session is expired with the following setting:

<sessionstate 
      mode="inproc"
      cookieless="false" 
      timeout="20" 
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜