There are a few ways to handle expiration using FormsAuthentication in .NET.
here are three approaches...
There are a few ways to handle FormsAuthentication :
1) use FormsAuthentication.SetAuthCookie. Offers basic functionality. Default persistance time (expiration) in this case is 50 years.
2) manually create cookie using FormsAuthentication.GetAuthCookie, then set the expiration on the cookie, and send that to the client.
3) explicitly create the FormsAuthentication ticket, then encrypt it (using a FormsAuthentication method), and send it in a cookie to the client.
The first method is nice a simple, if you don't need a set expiration or sliding expiration.
The second method works well for a static expiration, and requires resetting the cookie expiration each time for a sliding expiration.
The third method uses a single call to set a sliding expiration.
FormsAuthentiation.RenewTicketIfExpired() uses the issue and expire timestamps written in the ticket to update the ticket -- so just need to set the issue and expire values in the ticket (not the cookie).
If you use GetAuthCookie to create the cookie rather than creating ticket - the ticket expiration timestamp won't be the same as the cookie expiration time. And in that sceniario you need to keep managing the cookie expiration in order to handle as sliding expiration. If you use the FormsAuthentiation.RenewTicketIfExpired(), and write the cookie *without* setting the expiration, you get the default (50 years).
As long as you explicitly create the ticket (setting the issue and expiration times) - and then use FormsAuthentiation.RenewTicketIfExpired, the sliding expiration should work without hassle. I put the renew ticket call in Global.asax (in Application_AuthenticateRequest).
here's the first method... in my login page...
FormsAuthentication.SetAuthCookie( Username.Text, true );
and the second...
HttpCookie cookie = FormsAuthentication.GetAuthCookie (
Username.Text,
true //chkPersistCookie.Checked
) ;
//' Expires in 30 days, 12 hours and 30 minutes from today.
//
cookie.Expires = DateTime.Now.Add( new TimeSpan(0,30,12,30,0));
Response.Cookies.Add (cookie) ;
finally the third...
//
// Explicit... set ticket username, timeout and userdata field.
//
HttpContext currentContext = HttpContext.Current;
string formsCookieStr = string.Empty;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // version
Username.Text, // user name
DateTime.Now, // issue time
DateTime.Now.AddSeconds(20), // expires
true, // persistent
"" // user data
);
// Get the encrypted representation suitable for placing in a HTTP cookie.
//
formsCookieStr = FormsAuthentication.Encrypt(ticket);
HttpCookie FormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
currentContext.Response.Cookies.Add(FormsCookie);
and here's code for global.asax.cs
HttpContext currentContext = HttpContext.Current;
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if( HttpContext.Current.User.Identity is FormsIdentity )
{
FormsIdentity id = HttpContext.Current.User.Identity as FormsIdentity;
FormsAuthenticationTicket ticket = id.Ticket;
// renew ticket. issue and expire time must be set.
//
FormsAuthentication.RenewTicketIfOld(ticket);
// Optional userdata field.
//
string userData = ticket.UserData ;
// custom Principle class
//
HttpContext.Current.User = new SitePrincipal(id.Name) ;
}
}
}