Expire ASPXAUTH Cookie when browser closes

Question

I'm creating an ASPXAUTH cookie by using the following code

var authTicket = new FormsAuthenticationTicket(2, model.Name, DateTime.Now, DateTime.Now.AddMinutes(ConfigSettings.SessionTimeout),
                    false, result.UniqueId.ToString());

                var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
                    FormsAuthentication.Encrypt(authTicket))
                {
                    HttpOnly = true,
                    Expires = authTicket.Expiration                    
                };

                Response.AppendCookie(authCookie);

When the user closes the browser (both IE and Chrome) and logs in again the session is still active, the APSXAUTH cookie is not expired. I've set it to be non persistent. I'm also certain all browser instances have been closed.

What am I missing?

score 3 · Accepted Answer · answered May 18 '15 at 15:48

3

Since you manually set the Expires property, the browser creates a persistent cookie at the client side.

Just do not set any value there, comment out that line. This will create a cookie that lasts as long as the browser is open.

Note that usually it means that even if a user closes the tab, the cookie is still there. It disappears when the browser process is closed and restarted.

answered May 18 '15 at 15:48

Wiktor Zychla

47,367
6
74
106

I met same question .My FormsAuthenticationTicket is by [using System.Web.Security ] ,therefore I couldn't just comment that line (the class would go wrong) Is there has other way to not to set APSXAUTH's Expries? – 楊宇恩 Feb 09 '22 at 07:08

Expire ASPXAUTH Cookie when browser closes

1 Answers1