asp.netsecurity.aspxauth

.ASPXAuth Cookie changes during session


Is there any reason why, in the middle of an authenticated session, the .ASPXAUTH cookie would change its value?

It doesn't seem that ASP.Net_SessionId has changed its value at the same point (and the session hasn't expired).

Are there some rules that dictate that the .ASPXAUTH cookie value is updated periodically or for any other reason?

Issue is that we're cross checking the values of these cookies that they don't change during a session as a protection against xss or session hijacking.


Solution

  • The cookie is automatically reissued due to so called "sliding expiration". If your cookie is issued at time T and the cookie timeout is set to X minutes, then the first request made to the server at T + (X/2) causes the cookie to be reissued.