Re: What relationship between cookie and ticket expiration?

From: Bill Borg (BillBorg_at_discussions.microsoft.com)
Date: 12/23/04 

Date: Wed, 22 Dec 2004 23:27:02 -0800

Excellent help...thanks.

"Chris R. Timmons" wrote:

> =?Utf-8?B?QmlsbCBCb3Jn?= <BillBorg@discussions.microsoft.com>
> wrote in news:BA993C61-C962-4D29-B71A-A13660C3F180@microsoft.com:
>
> > Hello all,
> >
> > I am working on forms authentication and trying to understand:
> > what's the relationship between the cookie expiration and the
> > ticket expiration? I create a cookie and I add an encrypted
> > ticket to it. Both of these have an expiration date, but I'm not
> > seeing how to use them. Does it make sense that these dates
> > would ever differ?
>
> Bill,
>
> There's really no relationship, and in practice both dates are
> usually the same.
>
> The cookie's expiration date is used by the browser to determine if
> the cookie should be erased. The ticket's expiration date is used by
> ASP.Net's forms authentication system (or your code, if you handle
> forms authentication manually).
>
> The only operational problem that can arise is if the cookie's
> expiration date is earlier than the ticket's expiration date. That
> may cause confusion on the part of the user if they think they're
> login lasts for a certain period of time, but the cookie holding
> their authentication ticket gets erased by the browser before the
> ticket expires.
>
> --
> Hope this helps.
>
> Chris.
> -------------
> C.R. Timmons Consulting, Inc.
> http://www.crtimmonsinc.com/
>

Relevant Pages

  • Re: What relationship between cookie and ticket expiration?
    ... > what's the relationship between the cookie expiration and the ... I create a cookie and I add an encrypted ... > ticket to it. ... ASP.Net's forms authentication system (or your code, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Cookie not persisted w/o call to GetRedirectUrl()
    ... one as I am using multiple roles and I want to redirect the user after ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, ... HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ... Set the expiration for the cookie that contains the ticket ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cookie not persisted w/o call to GetRedirectUrl()
    ... >one as I am using multiple roles and I want to redirect the user after ... > HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ... > 2) Tell the ticket that is persistent ... > 3) Set the expiration for the cookie that contains the ticket ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: forms authentication question
    ... sliding timeout or absolute timeout, but my problem is that the ... sliding expiration does not get updated all the time. ... So, if I set the sliding expiration to 20 minutes, the cookie will be updated after 10 minutes, and if the user did something in the first 10 minutes, but then didn't do anything for the next 15 minutes, forms authentication cookie will be timed-out. ... Storing custom session key in the cookie gives me an ability to renew the cookie as long as the session key has not expired. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: session question
    ... How is session expiration handled on server? ... Does programmer have any ... Can I programmatically "reset" the Session timer? ... > Session expiry isn't implemented using the cookie expiry. ...
    (microsoft.public.dotnet.framework.aspnet.security)