ASP.NET Form Authentication auth cookie is always persistent

Question

I am trying to implement remember me functionality in login for my project using Asp.Net Form Authentication. The problem is once user logs in, he remains logged in even when the browser is closed and reopen. It seems that the Auth cookie is always persistent irrespective of whether user have checked remember me option or not.I have no idea what am i suppose to do??Can anyone guide me through??

I guess normally this line of code is enough to achieve what i want to:

 FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);

score 0 · Answer 1 · answered May 25 '17 at 18:53

0

This could be controlled by the timeout attribute in the Web.config

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

answered May 25 '17 at 18:53

Matt Mombrea

6,793
2
20
20

Sorry It did not work, though thanks for your answer. – Saroj Bhattarai May 26 '17 at 17:59

score 0 · Answer 2 · answered May 26 '17 at 13:46

It would be helpful if you add the authentication mode in Web.config as shown by @Matt. Anyway, if you observe the cookies issued with Remember Me toggle on & off, you'll noticed the following:-

Remember Me ✕ : Auth Cookie Expires attribute: Session (Session cookie)

Remember Me ✓ : Auth cookie Expires attribute: { UTC Time } (Persistent cookie)

Session cookie will last as long as the browser remains active. Threfore the cookie will be disposed only after you close the browser window (not tab) as opposed to persistent cookie.

You can know more about the concept of cookies & browser behaviour at below:-

Why Doesn't Closing A Tab Delete A Session Cookie?

HTTP Cookie Wikipedia

Sorry It did not work, indeed I tried using authentication ticket with custom settings as well but no luck .Thanks — Saroj Bhattarai, May 26 '17 at 18:02

ASP.NET Form Authentication auth cookie is always persistent

2 Answers2