Persistent Cookies

[sanchita]

Hello everyone,

I didn't get any response in "Security" forum hence posting here again.

I am having problem with persistent cookies. Even after setting
"CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie" I'm
being logged out after the specifed timeout provided in "forms"
element of web.config.

I read somewhere that lifetime of persistent cookies depend on the timeout
attribute on the forms authentcation node. If I have to enter a timeout of
days/weeks then it doesnt really make sense to make my cookie persist in
this fashion, that defies the purpose of persistent cookies.

Any insights welcome
Thanks
Sanchita

 

[Rick Strahl [MVP]]

Hi sanchita,

This has been a change in ASP.NET 2.0. If you don't specify
CreatePersistantCookie the cookie times out. If you do, then the timeout
value is what determines the cookie timeout even if you create a persistent
cookie.

This differs from ASP.NET 1.x which created a cookie with a long expiration
date - in 2.0 the expiration date is based on the timeout.

IOW, you need to set thte timeout value to a large number if you want a true
persistent cookie.

+++ Rick ---

 

[Cowboy \(Gregory A. Beamer\)]

You miss the purpose of persistant cookies. They are not used for session
management, they are used for authentication.

A persistent cookie is designed to allow the user to access a secured site
without having to log in again when he hits the site the second time. It
persists the authentication on the client side so it is sent with the
header. The system then automatically logs him in.

Session timeout is a part of your application. While the cookie can "re-log
on" the user if he times out, it cannot change the timeout behavior on the
server just because the user has a cookie.

For the record, you should NOT increase timeout to days. That defeats the
purpose of session management. What you can do is kick the user back to the
start page and abandon session, forcing the timeout. You then provide a link
on the timeout page. This can be a dynamic link back to where he was
working, if you desire. The user will then be logged back in, as the cookie
is there.

This may not be what you envision and make you think you want to increase
session time until the year 2010. Here is why. The session timeout is how
long the server keeps objects in session, meaning in memory on the server.
You set a really long timeout, say two weeks out. That session is now open
for two weeks. User's computer crashes and he opens the browser and hits
your site. You now have 2 two-week sessions for one user. After some work,
the user shuts down and then opens the browser again and hits the site. You
now have 3 two-week sessions for one user. This can go on until you use all
of the memory on the server with just a couple of users.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*********************************************
Think outside the box!
*********************************************

 

[sanchita]

Yes I know that they arent used for session management. Since persistent
cookies arent working the way they were in asp.net 1.1, wherein what used to
happen was the framework itself had set the timeout for a persistent cookie
for days, we didn't have a control over it. However in asp.net 2.0 we can
set the timeout for persistent cookies in our configuration. But the funny
thing is no matter if you want the cookie to be persistent or
non-persistent, both will acquire this timeout value. So it leaves me no
choice but to set one. Scott Gutherie from Microsoft also verifed on this to
us.

Although I'm working out my options and not just setting the timeout value
to a huge number. For the record I'm using Dotnetnuke 2.4 and facing this
problem since I shifted to asp.net 2.0. However my Team leader tells me that
in DNN 4.0 persistent cookies work fine despite the default timeout.

Thanks
Sanchita