How long can I use a session cookie? I have a client application where I authenticated to a SharePoint site and I am using the cookies for navigating through the subsites. I am saving the cookie and reusing the headers to login to the site at a later point without authenticating again. There is no expiration date set. How long will the cookie last and when should I authenticate back again?
9
votes
2 Answers
9
votes
The expiration of session cookies varies from browser to browser. I was unable to find any kind of reference giving the current specifics per browser. It used to be that session cookies would be destroyed when the browser was closed, but some browsers now have settings that, if enabled, will cause session cookies to persist past the browser being closed. For example, Firefox's "When Firefox starts: Show my windows and tabs from last time" will cause this to happen, somewhat surprisingly. The same goes for, "On startup: Continue where I left off" in Chrome.
I don't really care for SharePoint so I haven't used it in a while, but as I recall it uses ASP.Net Forms Authentication, pulling the configuration from the web.config just like any other ASP.Net site. That being said, you're not really concerned with the timeout of your cookie. What you care about is the timeout of your server-side session token - that is to say, how long the data contained in said cookie will be recognized by the server. That is set by the timeout property in the forms tag of the web.config file for an ASP.Net app:
<system.web>
<!-- ... -->
<authentication mode="Forms">
<forms timeout="2880" />
</authentication>
<!-- ... -->
</system.web>
1
votes
If there's no expire it's going to be around until the browser is killed. Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won't understand when it's logged out until a page refresh happens and sensitive data can be exposed. You'll see this implementation on any online banking site.
(Edit to clarify from downvote) Session cookies do, in fact, stay around until the browser is closed. You can look it up here: http://www.allaboutcookies.org/cookies/cookies-the-same.html
The above answer is also correct in that some newer browsers will recover session cookies after a crash/close.
@Grinn, you do bring up a good point able the Ticket. When using ASP.Net Forms auth, an encrypted Ticket is placed within the session cookie. They cookie can still be in place as far as the browser is concerned, but if the datestamp inside the ticket is expired, it will be considered invalid.
If you're using some semblance of Forms auth with Sharepoint, you should probably just write your own membership provider that can crack the Ticket in the cookie, but disregard if the datestamp is expired. Building Custom Membership Provider
