asp.netsessioncookiesiis-7formsauthenticationticket

How does the time relationship between a Cookie and FormsAuthenticationTicket really work?

I'm doing a bit of testing on Cookie/FormsAuthenticationTicket/Session timeouts. During my testing I found something really interesting.

  • Create a Session Cookie
    • cookie.Expires = DateTime.MinValue;
  • Create a FormsAuthenticationTicket with an expiration of 5 minutes
  • Set Session Timeout in web.config to 3 minutes

    • Then I created a asp.net button that simply calls Response.Redirect(Request.RawUrl); to refresh the page to see if i'm still in the secure section of the page.

    If i continuously refresh the page the FormsAuthenticationTicket lasts greater than 5 minutes.

    So my questions are:

  • I'm assuming this is by design but is this true?
  • Is this because this is a session cookie?
  • If it is because it's a session cookie, whats the expected behavior of a non-session cookie?

    • Solution

  • As stated in the comments this is due to the default value of sliding expiration being true: http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.slidingexpiration.aspx

    Thanks!