ASP.NET 2.0 Forms Authentication

by Dominick Baier

Related link: http://www.leastprivilege.com/FormsAuthPersistentCookies20RTM.aspx



In ASP.NET 1.1 and 2.0 Beta2 persistent cookie that were placed using RedirectFromLoginPage and SetAuthCookie had a life time of 50 years. I wrote about that here.


In 2.0 RTM, this behaviour has changed. The timeout value of the <forms /> config element is used now. If you have set a 20 minutes timeout, the cookie expiration time will be set to 20 minutes, too.


Thats a good choice IMO; persistent cookies are dangerous, cookies with a nearly unlimited life time even more. Cookies containing a forms authentication ticket are completely self containing and can be easily replayed, even after years. Rudolph Aurajo wrote a paper about that here.


If you really want to persist the cookie (for a longer time than specified in the timeout attribute), you have to create the forms auth ticket yourself and set the cookie and expiration time manually now.