0

I'm developing a .NET MVC web application in C# which implements form authentication.

I have the below configuration in my web.config file:

<authentication mode="Forms">
  <forms loginUrl="~/Home/Register" timeout="10080" name="Test" slidingExpiration="true"/>
</authentication>
<sessionState cookieName="Test" timeout="5040"/>

I have some questions:

  1. Using the same name for session state cookie name and form cookie name is OK or it will cause problems/collisions for the parameters such as timeout?
  2. Setting slidingExpiration="true" causes renewal of timeout automatically or it requires calling some special function on the backend?
  3. I have read the second comment of this answer: https://stackoverflow.com/a/17813200/1080355. So I set the form auth cookie time out twice of session time out. I'm doing it in the right manner?
VSB
  • 9,825
  • 16
  • 72
  • 145

1 Answers1

1

  1. Setting same name for both cookies will cause issues, please avoid it, set unique names for both cookies

  2. Cookie will be renewed automatically but of course only upon a request. As long as there are no requests from the browser, there's nothing to renew. Renewal consists in just issuing a new cookie that overwrites the old one.

Edit: Not sure why this is not clear. Maybe this will help: browser makes a request, server finds out that cookie is valid but it's about to expire. So the server issues a new cookie. Formally, it's the forms authentication module that does so, automatically,.

  1. Forms cookie timeout and session state timeout are completely unrelated and there's no rule that would make one dependant on the other.
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • I don't understand the 2nd answer. How cookie will be renewed during the requests? I have two cookies, one cookie for formAuth and another for session. Since I have no pieces of code to renew the cookie I want to know if any subclassess or browser itself updates them automatically per each request? And what does this means: 'Renewal consists in just issuing a new cookie that overwrites the old one'? – VSB Aug 01 '21 at 14:05
  • Besides, I want to know `slidingExpiration="true"` is a parameter that I should manage it myself? I'm wondering that setting this to `true` triggers what functions and how it will cause updating the expiration time... – VSB Aug 01 '21 at 14:22
  • Edited my answer. This is simpler probably than you expect and probably because of this you expect this mechanism to do something different than it already does. You don't do anything else beside setting the sliding expiration to true. – Wiktor Zychla Aug 01 '21 at 15:16
  • 1
    Side note - I strongly recommend replacing the forms module with the SAM module. It does few things better. https://www.wiktorzychla.com/2014/11/forms-authentication-revisited-for-net.html?m=1 – Wiktor Zychla Aug 01 '21 at 15:18