FormsAuthentication with enabled slidingExpiration is not returning a cookie in each request.

Question

I have a web application with FormsAuthentication and with slidingExpiration="true" in my web.config is not returning a cookie in each request, but when I see the HTTP transactions, I cannot see the webserver returning the AUTH cookie in each request.

Checking the docs, it should.

slidingExpiration Optional attribute. Specifies whether sliding expiration is enabled. Sliding expiration resets the active authentication time for a cookie to expire upon each request during a single session. This attribute can be one of the following values. Value Description True Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. False Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time the cookie was originally issued. The default is True.

Does anyone know why it is not working as expected?

Cheers.

Answer 1

I have read this: http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net-security/2316/problem-with-slidingExpiration

In other words, if the elapsed time since ticket creation is greater then half the ticket timeout (in your scenario would be 1 minute) the the ticket won't be renewed. Otherwise a new ticket will be granted with a fresh timeout (2 mins in your case). Summarizing, if you hit your page after 1 minute, it won't extend your Forms session lifetime regardless your slidingExpiration setting.

It makes sense, but I cannot find any official source. So I will test it my self when I have some spare time.

Cheers.

Answer 2

New Cookies will issue only when half of the time is elapsed from cookies creation and that is happening in your case.