4

I am trying to implement a very basic Asp.net forms authentication mechanism for a MVC site. The problem I am getting is that my authentication cookie is being set to expire after one year whereas I don't want it to expire after such a long time. Here is some of my code:

web.config

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2" />
</authentication>

controller

...
FormsAuthentication.SetAuthCookie(username, false);
...

I have found this answer (this question is similar but in my case timeout never occurs) but is this the only way to make the cookie expire or am I doing something wrong here?

When I view the cookie it is set to expire after one year even though it should expire after a couple of minutes, why?

What I want is somehow the user gets logged out after some time and I thought setting expiration in forms tag would do the job?

Community
  • 1
  • 1
Syed Ali
  • 1,817
  • 2
  • 23
  • 44
  • can you post your web.config? specifically the tag – lopezbertoni Oct 09 '13 at 00:19
  • I don't have a membership provider in the config – Syed Ali Oct 09 '13 at 10:01
  • is that a required thing? – Syed Ali Oct 09 '13 at 10:37
  • Yes, I believe there should be. You can try by adding a template MVC starter project that already has Authorization/Membership built in and see how they it's done. – lopezbertoni Oct 09 '13 at 14:35
  • Well I don't have any membership/roles tables in the db. Also db has its own user table so I just want to use this and get plain authentication without authorization stuff. I know the starter project works out of the box but I don't have a db like that in my project. Thanks anyway – Syed Ali Oct 09 '13 at 14:51

1 Answers1

10

Almost a month, 100 views and no answers after I have found a solution.

First, the timeout specified in the web.config works only when the cookie is set as persistent i.e. a persistent cookie can also expire. Initially I wrongly assumed that a persistent cookie can not expire. In fact, my original code would have worked if I had always set the cookie to persistent.

Secondly, I believe there is no need for a membership provider to make Forms Authentication work as suggested in the comments above.

Here is how I now create a Authentication cookie:

HttpCookie authCookie = FormsAuthentication.GetAuthCookie(username, isPersistent);
if (!isPersistent)
{
    //this is because if it was not set then it got 
    //automatically set to expire next year even if 
    //the cookie was not set as persistent
    authCookie.Expires = DateTime.Now.AddMinutes(15);
}

Response.Cookies.Add(authCookie);

Please let me know if there is any alternate to this?

Syed Ali
  • 1,817
  • 2
  • 23
  • 44
  • Seems like this would work, but what happens if we have slidingExpiration set to `true`? – dmathisen Mar 02 '16 at 15:45
  • I have my persistence set to true and expiration for 30 minutes yet 18 hours later, cookie is still valid. – Daniel Jackson Dec 09 '17 at 20:59
  • @DanielJackson Not sure, I did this back in 2013 and not tried it again since then. Maybe there was a bug with the persistent cookies which got fixed later on? – Syed Ali Dec 13 '17 at 16:04