MVC 4 Forms Authentication (Infinite Login)

Question

I was surprised I couldn't find a good answer to this out on the interwebz, so here we are.

I'm setting a FormsAuthenticationTicket to expire after a week. This is used in tandem with a "Remember Me" setting we feature on our login form. This is being accomplished by :

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName);

// set the auth token expiration to a week
var authTicket = new FormsAuthenticationTicket(1, user.Email, DateTime.Now, DateTime.Now.AddHours(168), true, userData);
var encryptedTicket = FormsAuthentication.Encrypt(authTicket);

cookie.Value = encryptedTicket;
cookie.Expires = authTicket.Expiration;

With this, I've also extended our session timeout, as many of our users keep the application open for equally long periods of time :

<forms loginUrl="~/account/sign-in" timeout="10080" name="t5S4U4Y152" domain=".xxxxxxx.xxx.xxxxx"/>

My question :

I've been asked to make this a non-expiring cookie, such that as long as the user retains it, they'll always be logged in - more or less an infinite login. Is there a default value I can set the ticket and timeout to in order to achieve this?

Yes, I could set both expiration's to something like 50 years from the present, but I'm wondering if there is a cleaner or more suitable approach?

Answer 1

No there isn't any value you can set the expiration so it is infinite. You'll just need to set it to something really long.

As you know, if you do not set an expiration the cookie then only lives for the length of the session (when the browser is closed), which is definitely not what you want.

You can also use slidingexpiration=true so that whenever a user comes back to the site, the expiration date on the cookie is refreshed to be Today + Timeout instead of DateInitiallyIssued + Timeout