0

ASP.NET has provided the following method for creating form authentication cookie manually

public FormsAuthenticationTicket(int version, string name, System.DateTime issueDate, System.DateTime expiration, bool isPersistent, string userData, string cookiePath)

What if I set isPersistent to false and set expiration to some greater value like 1 week from now. What will happen in this case when user closes his browser will he be authenticated if opens his browser again. As far as I understand setting isPersistant to false (irresepective of expiration date in this case) means the users will not be authenticated as soon as he closes his browser and will be anonymous after reopening the browser.

What does isPersistant false and a valid expiration date means at the same time?

Rocky Singh
  • 13,980
  • 28
  • 91
  • 142

2 Answers2

0

The authentication data will be included in each request/response and not persisted in a cookie. When the user closes and reopens the browser new authentication is needed.

See this thread for a tons of info: The definitive guide to form-based website authentication

Community
  • 1
  • 1
Marcus
  • 2,460
  • 1
  • 21
  • 28
0

Using something like the following code, your cookie will persist for a week until it expires:

HttpCookie theCookie = FormsAuthentication.GetAuthCookie("theUser", false);

theCookie.Expires = DateTime.Now.AddDays(7);

Response.SetCookie(theCookie);

The only difference between a "persistent" cookie and one that is not is that the expiry is set to "Session" on the latter. The easiest way to confirm this is to test it. From my brief trial, it functions without incident.

The class you are referencing is primarily used internally by the FormsAuthentication library, and I am of the opinion that it should not be your primary method of achieving your goals if they can be reached by a static member function on the FormsAuthentication class, which is provided to you as a helper to accessing all of the functionality encompassed by the library. The FormsAuthenticationTicket class is the output of FormsAuthentication.Decrypt for instance, and would give you information about the data encrypted in the cookie value. It is not what you should be using to create an authentication cookie in code.

EDIT

Regarding what it "means" if both properties are set at the same time, it means that, given your persistent flag in the encrypted ticket data, once the ticket falls out of date it will be renewed each time the user visits. FormsAuthentication will make a call to FormsAuthentication.RenewTicketIfOld to persist the ticket indefinitely. The default behavior when you flag a ticket persistent using the FormsAuthentication.SetAuthCookie or FormsAuthentication.GetAuthCookie helper methods will initialize the ticket's encrypted data with the expiry set to the current date and time when the ticket is created. This can be confirmed by making a call to FormsAuthentication.GetAuthCookie and calling FormsAuthentication.Decrypt using the Value property of the HttpCookie you received. If you inspect the Expiration property of the ticket, you will find it to be set to the current date and time.

lsuarez
  • 4,853
  • 1
  • 25
  • 51
  • Can you reply to this "What does isPersistant false and a valid expiration date means at the same time?" I mean to say if I have set isPersistant to false will the expiration time comes into role? – Rocky Singh Mar 27 '12 at 14:37