I am using using forms authentication and creating a non persistent cookie.
The cookie expires when I close the browser which is the expected behaviour. But the cookie is not expiring even after the application is idle for the timeout specified. My requirement is that the cookie should expire either when the user close the browser or if the time out is elapsed.
I am using Asp.Net MVC4. Is there any way that I could achieve both of the requirement.
You might need to turn off slidingExpiration if you don't want the cookie to be renewed automatically upon each request:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
cookieless="UseCookies"
slidingExpiration="false"
timeout="1"
/>
</authentication>
Now after 1 minute the cookie will expire and the user will no longer be authenticated on subsequent requests. The cookie will be sent by the client browser but the FormsAuthentication module will detect that the cookie has expired and reject the request.
