1

I've got a question about an ASP.NET MVC web application I wrote. More specifically, it is about the cookies the application saves. We recently discovered that the default ASP.NET Identity cookies have an expiry date in the past. For example, if you look at the ".AspNet.ExternalCookie" or ".AspNet.TwoFactorCookie", it says "expires=Thu, 01-Jan-1970 00:00:00 GMT". Here is a screenshot:

ASP.NET Identity cookies

When you look at the cookies in the browser, the expiration date says "When browsing session ends". So, my question is, is it correct that the expiration date is 01/01/1970 or is this not best-practice? I read over at the owasp site (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle - in the Session Expiration paragraph), that you should set an expiry date in the past if you want to invalidate a cookie.

I'm not sure if I should change something in the Startup.Auth.cs or just let it go and trust Microsoft on this? What do you think?

Thank you very much, Sascha

zoidi
  • 31
  • 6
  • There are 2 cookie flavours: in-memory and on-file. Whatever tool you used for the screenshot shows this for a NULL date. It's not 1970, it's just not there. – H H Feb 12 '19 at 08:52
  • @HenkHolterman because DateTime is a struct in C#, it cannot be NULL. 1st of January 1970 (also called ["epoch time" or "UNIX Time"](https://en.wikipedia.org/wiki/Unix_time) seems to just be the default value for a DateTime object in ASP.NET – MindSwipe Feb 12 '19 at 08:55
  • @MindSwipe - No, .NET defaults to the year 0 and can handle BC. This is about the reporting tool. – H H Feb 12 '19 at 08:56
  • @HenkHolterman, thank you, but is this best practice for these expiration dates to be null or should I set an expiration date? – zoidi Feb 12 '19 at 09:50
  • Setting the expiration is the swtich between persisten and noon-persistent cookies. So, no, do not set an expiration if you want to stay in-memory. – H H Feb 12 '19 at 10:02
  • @HenkHolterman, ok thank you for your explanation. So if I understand correctly, if I set an expiration on these cookies, they will expire in the given timespan. If I don't set an expiration, they will stay in memory until the browser window is closed. Is this correct? – zoidi Feb 12 '19 at 10:25
  • Yes, I think all browsers behave that way. It's a pretty old standard. – H H Feb 12 '19 at 10:29
  • Thank you very much, this helped a lot. Have a nice day – zoidi Feb 12 '19 at 10:32
  • [See this discussion for better explanation](https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side#:~:text=Invalidate%20the%20cookie%20by%20setting%20an%20empty%20value,that%20the%20cookie%20persists%2C%20even%20if%20it%27s%20expired.) – cskwg Dec 13 '21 at 06:25

0 Answers0