Change to ASP.NET 2.0 Forms Authentication Persistent Cookies
I have already highlighted some of the subtle security and migration issues with .NET Framework 2.0 such as:
This time, however, I will talk about a third subtle change which is to do with the cookie expiration value under ASP.NET 2.0 Forms Authentication. In ASP.NET 1.1, if you created a persistent cookie it had a timeout value of approximately 50 years. Obviously, persistent cookies significantly increased the possibility of identity spoofing and authentication replay attacks. With the release of ASP.NET 2.0, persistent cookies such as when use the RememberMeSet property in the new logon control now has a lifetime value of 30 minutes.
This means that in ASP.NET 2.0 the timeout value of both persistent and session based cookies are controlled by the timeout attribute on the <forms/> element. This also applies if you migrate an ASP.NET 1.1 application to ASP.NET 2.0 then you can expect your persistent cookies to be reduced from 50 years to 30 minutes unless you increase the value in the timeout attribute.
Comments
- Anonymous
July 15, 2006
This has haunted me a few times in the past, so for my own sake I figured I would write a quick blog