ASP.net MVC 4 session cookie expires when user closes browser

Question

I had the same issue like this guy. Because I am lucky, his solution also worked for me. But I think it's a bit dirty and I was wondering if there isn't a better one.

I've set up this configuration on IIS, but the cookies will always expire when the user closes her browser (if I don't use he "cookie hack")

Any Ideas?

EDIT: To clearify: It not the Server side session that is lost, it's only the "ASP.NET_SessionId" cookie lifetime, which is incorrect.

EDIT2: After some Research, I was wondering when the ASP.NET_SessionId cookie is actually set. If I delete it (using Firefox) and refreshing the page (even several times) a new one won't appear ... What's going on here?

EDIT3: I just found out, that the session id cookie will be set if I put something into the session, so that question (EDIT2) is off.

Answer 1

The session cookie will exire as soon as possible for security reasons. One should not extent it's lifetime due to session hijacking.

If you need "the old session back", then use ASP.NET authentication and generate a new session after the users comes back to the site. This will safe memory and also increase overall security.