FedAuth cookie not showing expiration date in Firebug

I have an ASP.Net MVC site secured with SSL and I am using System.IdentityModel.Services

and generating a token like this:

SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;


When I access the site in a browser, Firebug does not display the expiration date as expected. Instead, the expiration date is displayed as Session :

Expiry date = "Session"

Can someone explain why this is the case? I'm guessing ASP.Net can still see the actual expiration date when it reads the cookie? Moreover, where is the actual cookie expiration time set?


source to share

1 answer

You are mixing two different things here:

  • The validity period of the token is determined until the token is valid. After this time, even if the token is attached to the request, it is considered invalid and will not be honored. Usually, the expiration time is encrypted within the token itself, which means that it is controlled exclusively by the issuing token.

  • Cookie expiration is something that is controlled by the client (in this case, your web browser). After the cookie expires, it is no longer tied to the request. But, if the browser decides to send it, it will work until the token expires.

In your particular case, the token expiration is set to 1 day, but since Cookie expiration is set to "Session", this means if you must end your session (usually by closing your browser window) at some point before the token expires The cookie will not be sent and you will need to log in again.

After 1 day (when the token expires), even if you are still in the session, you always need to login again.

Update (as per your comments):

Ticket expiration and Cookie expiration can be set separately, because sometimes the ticket is not necessarily contained in the Cookie. It can be sent to the server using other methods (QueryString, custom HTTP header, etc.). However, it really is a natural thing that they both set the same expiration time.

This also applies to yours SessionSecurityToken

, if you set its flag IsPersistent

to true

, you will notice that the Cookie expires now the same as the ticket:

SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
token.IsPersistent = true;




All Articles