You miss the purpose of persistant cookies. They are not used for session
management, they are used for authentication.
A persistent cookie is designed to allow the user to access a secured site
without having to log in again when he hits the site the second time. It
persists the authentication on the client side so it is sent with the
header. The system then automatically logs him in.
Session timeout is a part of your application. While the cookie can "re-log
on" the user if he times out, it cannot change the timeout behavior on the
server just because the user has a cookie.
For the record, you should NOT increase timeout to days. That defeats the
purpose of session management. What you can do is kick the user back to the
start page and abandon session, forcing the timeout. You then provide a link
on the timeout page. This can be a dynamic link back to where he was
working, if you desire. The user will then be logged back in, as the cookie
is there.
This may not be what you envision and make you think you want to increase
session time until the year 2010. Here is why. The session timeout is how
long the server keeps objects in session, meaning in memory on the server.
You set a really long timeout, say two weeks out. That session is now open
for two weeks. User's computer crashes and he opens the browser and hits
your site. You now have 2 two-week sessions for one user. After some work,
the user shuts down and then opens the browser again and hits the site. You
now have 3 two-week sessions for one user. This can go on until you use all
of the memory on the server with just a couple of users.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
*********************************************
Think outside the box!
*********************************************
"sanchita" <sa******@fareportal.comwrote in message
news:OS****************@TK2MSFTNGP04.phx.gbl...
Hello everyone,
I didn't get any response in "Security" forum hence posting here again.
I am having problem with persistent cookies. Even after setting
"CreatePersistentCookie" to true in "FormsAuthentication.SetAuthCookie"
I'm
being logged out after the specifed timeout provided in "forms"
element of web.config.
I read somewhere that lifetime of persistent cookies depend on the timeout
attribute on the forms authentcation node. If I have to enter a timeout of
days/weeks then it doesnt really make sense to make my cookie persist in
this fashion, that defies the purpose of persistent cookies.
Any insights welcome
Thanks
Sanchita