login      my ps      about      contact  



home instructor-led training on-demand screencasts blogs


Security Briefs » Persistent Forms auth cookies in ASP.NET 2.0

Persistent Forms auth cookies in ASP.NET 2.0

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

Spelunking around with ASP.NET forms auth I got a bit of a surprise this morning. The last time I checked, in 1.x ASP.NET assigned a persistent forms cookie an expiration date that was 50 years in the future. But the code looks very different in 2.0. If you ask for a persistent cookie, you get one with an expiration equal to DateTime.Now.AddMinutes(T), where T is the timeout that you've configured for Forms login (which defaults to 30 minutes).

This may surprise you (and your users) if you're upgrading to 2.0, so be aware. It's certainly better from a security point of view not to assign a login cookie that lasts for 50 years. But it changes things pretty dramatically from a usability standpoint, and there's always that tradeoff...

Keith

Posted May 24 2006, 12:23 PM by keith-brown
Filed under: , ,

Comments

Sanchita wrote re: Persistent Forms auth cookies in ASP.NET 2.0
on 03-26-2007 12:51 PM
Hello,

So there is no other way to overcome this issue in asp.net 2.0
I will just <i>have</i> to increase my timeout value in web.config if i want to make my cookie persist for the user?

Thanks
Sanchita

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation