10

How long can I use a session cookie? I have a client application where I authenticated to a SharePoint site and I am using the cookies for navigating through the subsites. I am saving the cookie and reusing the headers to login to the site at a later point without authenticating again. There is no expiration date set. How long will the cookie last and when should I authenticate back again?

Dario Seidl
  • 4,140
  • 1
  • 39
  • 55
rogerstone
  • 7,541
  • 11
  • 53
  • 62

2 Answers2

10

The expiration of session cookies varies from browser to browser. I was unable to find any kind of reference giving the current specifics per browser. It used to be that session cookies would be destroyed when the browser was closed, but some browsers now have settings that, if enabled, will cause session cookies to persist past the browser being closed. For example, Firefox's "When Firefox starts: Show my windows and tabs from last time" will cause this to happen, somewhat surprisingly. The same goes for, "On startup: Continue where I left off" in Chrome.

I don't really care for SharePoint so I haven't used it in a while, but as I recall it uses ASP.Net Forms Authentication, pulling the configuration from the web.config just like any other ASP.Net site. That being said, you're not really concerned with the timeout of your cookie. What you care about is the timeout of your server-side session token - that is to say, how long the data contained in said cookie will be recognized by the server. That is set by the timeout property in the forms tag of the web.config file for an ASP.Net app:

<system.web>
    <!-- ... -->
    <authentication mode="Forms">
        <forms timeout="2880" />
    </authentication>
    <!-- ... -->
</system.web>
Grinn
  • 5,370
  • 38
  • 51
  • Thanks for the answer.Unfortunately I am not able to validate this at the moment.Upvoted – rogerstone Oct 29 '13 at 22:15
  • 1
    I was so confused why my session cookies were never getting deleted in Chrome. It's because of your answer: "On startup: Continue where I left off". Makes sense now, thank you! – Shane N Feb 06 '14 at 23:36
1

If there's no expire it's going to be around until the browser is killed. Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won't understand when it's logged out until a page refresh happens and sensitive data can be exposed. You'll see this implementation on any online banking site.

(Edit to clarify from downvote) Session cookies do, in fact, stay around until the browser is closed. You can look it up here: http://www.allaboutcookies.org/cookies/cookies-the-same.html

The above answer is also correct in that some newer browsers will recover session cookies after a crash/close.

@Grinn, you do bring up a good point able the Ticket. When using ASP.Net Forms auth, an encrypted Ticket is placed within the session cookie. They cookie can still be in place as far as the browser is concerned, but if the datestamp inside the ticket is expired, it will be considered invalid.

If you're using some semblance of Forms auth with Sharepoint, you should probably just write your own membership provider that can crack the Ticket in the cookie, but disregard if the datestamp is expired. Building Custom Membership Provider

goosemanjack
  • 940
  • 9
  • 7
  • I am authenticating to the share point site from my client application.I use the same cookie all the time without authenticating again .I am getting account locked at times.So my question the server would have a timeout for the cookie?? – rogerstone Mar 22 '13 at 20:29
  • Very little of this is true. Session cookies do not in fact hang around forever until the browser is killed. The default forms authentication *ticket* timeout for ASP.Net is 30 minutes, which actually has no effect on the expiration of Session cookies at all - it's just that the value of the Session cookie won't be considered valid by the server when the page is refreshed. A page refresh after a session has expired can in no way cause sensitive data to be exposed. – Grinn Oct 28 '13 at 19:03
  • Your answer/downvote seems to be confusing the Auth cookie with old ASP Session cookies. My answer is referring to how browser Session cookies behave, as opposed to Persistent cookies (with an expiration). Your point about the Ticket expiration, however, is well made. – goosemanjack Dec 11 '13 at 21:53