Re: Persistent Cookies

You miss the purpose of persistant cookies. They are not used for session management, they are used for authentication.

A persistent cookie is designed to allow the user to access a secured site without having to log in again when he hits the site the second time. It persists the authentication on the client side so it is sent with the header. The system then automatically logs him in.

Session timeout is a part of your application. While the cookie can "re-log on" the user if he times out, it cannot change the timeout behavior on the server just because the user has a cookie.

For the record, you should NOT increase timeout to days. That defeats the purpose of session management. What you can do is kick the user back to the start page and abandon session, forcing the timeout. You then provide a link on the timeout page. This can be a dynamic link back to where he was working, if you desire. The user will then be logged back in, as the cookie is there.

This may not be what you envision and make you think you want to increase session time until the year 2010. Here is why. The session timeout is how long the server keeps objects in session, meaning in memory on the server. You set a really long timeout, say two weeks out. That session is now open for two weeks. User's computer crashes and he opens the browser and hits your site. You now have 2 two-week sessions for one user. After some work, the user shuts down and then opens the browser again and hits the site. You now have 3 two-week sessions for one user. This can go on until you use all of the memory on the server with just a couple of users.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*********************************************
Think outside the box!
*********************************************
"sanchita" <sanchita@xxxxxxxxxxxxxx> wrote in message news:OSj$Xv%23bHHA.1244@xxxxxxxxxxxxxxxxxxxxxxx
Hello everyone,

I didn't get any response in "Security" forum hence posting here again.

I am having problem with persistent cookies. Even after setting
"CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie" I'm
being logged out after the specifed timeout provided in "forms"
element of web.config.

I read somewhere that lifetime of persistent cookies depend on the timeout
attribute on the forms authentcation node. If I have to enter a timeout of
days/weeks then it doesnt really make sense to make my cookie persist in
this fashion, that defies the purpose of persistent cookies.

Any insights welcome
Thanks
Sanchita


.