Persistent cookie timeout with FormsAuthentication

Question

I am creating some "Remember Me" functionality as part of logging in.

When I create a persistent cookie during the login process with the following:

FormsAuthentication.SetAuthCookie("someusername", true);

And my Web.Config looks as follows:

<authentication mode="Forms">
  <forms loginUrl="~/sign-in" timeout="2880" />
</authentication>

How long will the cookie be valid for before the user will be asked to provide their login details again? Also, Is there/What is the default length of time used when setting a persistent cookie?

Answer 1

timeout is mentioned in your authentication module as:

<forms loginUrl="~/sign-in" timeout="2880" />

timeout="2880". This 2880 value is given in minutes. So if you divide 2880 by 60, you get 48 hours which is answer to your question. Users will have to provide their login credentials again after 48 hours period expires.

Hope it helps.

Answer 2

I found the answer I was looking for thanks to this article:

Dan Sellers's WebLog

where he states:

in ASP.NET 2.0 the timeout value of both persistent and session based cookies are controlled by the timeout attribute on the<forms/>element

So in my example the persistent cookie will expire in 48 hours.

Answer 3

I believe the persistent cookie is valid indefinitely (unless the user clears their browser cookies of course). The timeout attribute just tells forms authentication how long to keep the session active.

Take a look here:

Cookie Confusion with FormsAuthentication.SetAuthCookie() Method