Geek Answers Handbook

How long does a session-only cookie last? When to re-authenticate

How long can I use cookies only for the session ? I have a client application where I authenticate to a SharePoint site and I use cookies to navigate through the child sites. I save the cookie and reuse the headers to enter the site at a later time without re-authentication. No expiration date. How long will the cookie last and when should I authenticate again?

+7
source share
2 answers

Session cookies expire depending on browser and browser. I could not find any link giving the current specification for each browser. It used to be that session cookies would be destroyed when the browser was closed, but some browsers now have settings that, if enabled, will force session cookies to remain closed. For example, Firefox "When Firefox starts: show my windows and tabs since last time", this will lead to unexpected surprise. The same thing happens when you start: "Continue when I stopped" in Chrome.

I don’t like SharePoint anyway, so I haven’t used it for a while, but as I recall, it uses ASP.Net Forms Authentication, pulling the configuration from web.config, like any other ASP.Net site, This, as they say, You are not very concerned about the timeout of your cookie. What you need is the timeout of your server-side session token - that is, how long the data contained in the specified cookie will be recognized by the server. This is set by the timeout property in the forms tag of the web.config file for the ASP.Net application:

<system.web> <!-- ... --> <authentication mode="Forms"> <forms timeout="2880" /> </authentication> <!-- ... --> </system.web>
+6
source

If there is no expiration, it will continue until the browser is killed. Typically, in ASP.Net session cookies are set with a 20 minute timeout. This is usually pretty good. Depending on your application, you may also need a javascript timer. Otherwise, the browser will not understand when it logs out until the page is refreshed and sensitive data can be opened. You will see this implementation on any online banking site.

(Change for explanation from the lower level) Session cookies actually remain in place until the browser is closed. You can watch it here: http://www.allaboutcookies.org/cookies/cookies-the-same.html

The above answer is also true that some newer browsers restore session cookies after a crash / close.

@Grinn, you are raising a good point, capable Ticket. When using ASP.Net Forms auth, an encrypted ticket is placed in the session cookie. They may still be in place as far as the browser is concerned, but if the passes inside the ticket have expired, it will be considered invalid.

If you use some kind of Forms auth with Sharepoint, you will most likely just write your own membership provider, which can crack the Ticket in a cookie, but do not pay attention if the datestamp has expired. Create a custom membership provider

-one
source

More articles:


All Articles