What can be set in the FormsAuthenticationTicket?

Question

I am still a bit confused about something about FormsAuthenticationTicket and the actual cookie container.

1. What does DateExpiration in FormsAuthenticationTicket() refer to? Is that when the cookie dies? Is that how long the user can stay logged in without any active actions (i.e. timeout)?

2. <forms loginUrl="~/Account/LogOn"
          protection="All"
          timeout="20160"
          name="test"
          path="/"
          requireSSL="false"
          slidingExpiration="false"
          defaultUrl="default.aspx"
          cookieless="UseDeviceProfile"
          enableCrossAppRedirects="false" />
   

   This is what is in my web config. Now, do any of these get set to the cookie automatically? For instance, can I grab from the name field what I need to grab when making my cookie?

    HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
   

   But what about setting protection (whatever that is), timeout, slidingExpiration, enableCrossAppRedirects, cookieless etc.? I don't see properties to set these. Are they automatically taken from the webconfig or what?

3. What is the difference between DateExpiration set in the FormsAuthTicket and the one you set for the cookie (authCookie.Expires)?

Thanks

Answer 1

1. FormsAuthenticationTicket.Expiration is the time at which the ticket expires. The ticket expiry date/time is stored in the encrypted ticket, so is independent of the cookie expiration time. Note that the client can see and tamper with the cookie expiration time, but should not be able to tamper with the encrypted ticket.

It controls how long the user can access the site without reauthenticating.

2. The values from web.config are used to build the ticket. You can also build your own ticket with any values you want, encrypt it, and store it in a cookie. There is an example of this in the MSDN documentation for the FormsAuthenticationTicket class.

UPDATE

This MSDN article has info on this subject. If protection is set to All in your web.config, then the ticket is encrypted using the algorithm specified on the machineKey element. The default is SHA1 and AES according to this article.

If you want to see an unencrypted ticket you can set protection="None" in your web.config, though you wouldn't normally want to do this in a production app.

You can also use a tool such as Lutz Reflector to examine the source of the FormsAuthentication and FormsAuthenticationTicket classes to understand more about how the ticket is generated.