Search code examples
c#asp.net-mvc-3membership-provider

MVC3 Sliding expiration of cookies not working

I am using the built in Forms authentication in an MVC3 application. The issue I am currently facing is that the cookies slidingexpiration is not working.

The web.config file has the following line:

<forms loginUrl="/auth" name="authy" path="/" slidingExpiration="true" />

note:: I have declared slidingexpiration even though the default is true.

Within my code I am making use of the basic Membership Provider class with no extending or modification. My global.asax file is using the system default.

There is no point in adding a code example as this is just a base project with no extra code added. I am using the FormsAuthentication.SetAuthCookie(username, true); to set the cookies initially.

Solution

  • Quote from the documentation:

    Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.

    2 very important things to notice in this quote:

    1. ... if a request is made ...
    2. ... half of the timeout interval ....

    You haven't specified a timeout so the default value of 30 minutes will be used.

    Another important thing to notice in this quote:

    Setting the SlidingExpiration property to false can improve the security

    but I guess you don't care about security since you have activated it.

    UPDATE:

    Here's a full example illustrating the concept:

    Controller:

    public class HomeController : Controller
{
    public ActionResult Index()
    {
        FormsAuthentication.SetAuthCookie("foo", true);
        return View();
    }

    [Authorize]
    public ActionResult Foo()
    {
        return Json(User.Identity.Name + " is still authenticated", JsonRequestBehavior.AllowGet);
    }
}

    View:

    <script type="text/javascript">
    $(function () {
        (function () {
            var caller = arguments.callee.caller;
            window.setTimeout(function () {
                $.getJSON('@Url.Action("foo")', function (result) {
                    $('#msg').append($('<div/>', { text: result }));
                    caller();
                });
            }, 10000);
        })();
    });
</script>

<div id="msg"></div>

    web.config:

    <authentication mode="Forms">
    <forms 
        loginUrl="/auth" 
        name="authy" 
        path="/" 
        slidingExpiration="true" 
        timeout="1" 
    />
</authentication>

    No matter how long you stay on the Index view, the user will still be authenticated.