How to create ASP.NET Membership cookie properly?

Question

I'm using the Membership API for my login system and a wierd thing has been bothering me. I allow user to choose whether to "Remember Me", which means whether to create a persistent cookie with one month expiration period.

In the Web.config, I wrote:

<authentication mode="Forms">
  <forms timeout="60"  />
</authentication>

This is supposed to be a default session cookie of 60 minutes.

In the code behind of the login page:

if(Membership.ValidateUser(UsernameTextBox.Text, PasswordTextBox.Text))
        {
            authCookie = FormsAuthentication.GetAuthCookie(UsernameTextBox.Text, RememberMeCheckBox.Checked);
            if(RememberMeCheckBox.Checked)
                authCookie.Expires = DateTime.Now.AddMonths(1);
            Response.Cookies.Add(authCookie);
            Response.Redirect(FormsAuthentication.GetRedirectUrl(UsernameTextBox.Text, RememberMeCheckBox.Checked));
        }

The result however is strange. I seem to have created a persistent cookie of 60 minutes! How is this possible?

Answer 1

You are setting the cookie expiration time to be be 1 month, but the authentication ticket that it contains has not been modified. It has inherited the default value of 60 minutes from your web config.

You likely want to synchronize cookie expiration with the authentication ticket expiration, or alternatively set the cookie to have a very long expiry date.

What you need to do is

1. create a FormsAuthenticationTicket instance manually and set the Expiration property of the instance.

2. Use FormsAuthentication.Encrypt() to encrypt the ticket

3. Add a cookie to the Response.Cookies collection containing the ticket, manually. (rather then using get/setAuthCookie(), which uses the web.config settings).

Some example code is in the documentation for FormsAuthentication.Encrypt().