[Original] When ASP. NET Forms authentication is used, the expiration time of the persistent cookie is automatically extended.

Problem description

When Forms authentication is not used before, if the persistent cookie expiration time is set to half an hour during login, many users will complain that the login will expire soon.

Therefore, the cookie expiration time is always set to be longer, for example, two hours or even one day. This ensures that a cookie is set at login, and the user can perform the operation for a long time and does not expire.

Although you can also check the cookie expiration time and automatically expand the time on each user request page, it is not too troublesome. It is not as easy as setting up a big point at a time.

 

Accidental discovery

When I used forms authentication to compile appbox-Enterprise General Management Framework Based on extaspnet, I set it like this in Web. config:

<authentication mode="Forms">      <forms name=".ASPXFORMSAUTH" loginUrl="~/default.aspx" timeout="360" defaultUrl="~/main.aspx" protection="All" path="/"/></authentication>

I set the expiration time to six hours, hoping that the user's complaint will not be heard within six hours after login.
Because you want to save the user's role to user. Identity, you have no intention to find a paragraph in this Article when checking custom Identity Authentication:

If it is not a persistent cookie, the expiration attribute of the cookie's validity period includes the current time plus the web. the timeout time in config. When each request is sent to the page, the system checks whether half of the validity period has been passed during identity authentication. If yes, the cookie validity period is updated once.

Great! In this case, the so-called timeout attribute is not very important at all, and the system will re-determine the expiration time on each request page. If it is about to expire, it will automatically expand.

Note: There is a problem with the reference above. For persistent cookies, non-persistent cookies are generally called session cookies and cannot exist in cross-browser processes, so closing the browser disappears.

 

Verify yourself

The real learning and understanding requires you to do it yourself. The following steps will verify the above statement (Firefox + firebug + firecookie is used below ).

1. Configure web. config

<authentication mode="Forms">      <forms name=".ASPXFORMSAUTH" loginUrl="~/default.aspx" timeout="2" defaultUrl="~/main.aspx" protection="All" path="/"/></authentication>

We set the expiration time to 2 minutes to observe the cookie expiration time.

 

2. login code

In the successful login code, use the following statement code to write the cookie and redirect the page (the second parameter indicates that this is a persistent cookie ):

FormsAuthentication.RedirectFromLoginPage(userName, true);

 

3. Observe the cookie information after login

Because we logged on at 9:04:12, the expiration time here is 9:06:12.

 

4. Refresh the page within 1 minute after login

The page is refreshed within one minute, and the cookie expiration time remains unchanged.

 

5. Refresh the page one minute after login

On the page refreshed at 9:05:13, that is, the last minute, the system will automatically extend the cookie expiration time and add another 2 minutes. Therefore, the current expiration time is 9:07:13.

 

6. Refresh the page 2 minutes after login

Refresh in two minutes and the cookie expires. The page will automatically jump to the login page.

 

Summary

ASP. net Forms authentication not only provides us with consistent and secure authentication means, but also this automatic extension of cookie expiration time mechanism is icing on the cake, this gives us more time to focus on the implementation of business logic.