Welcome to the Microsoft ASP.NET Support Voice column! I am Nilay
B. Shah with the ASP.NET developer support team. I have been working with
ASP.NET support for more than one and a half years. Forms Authentication is
really a cool authentication feature. This article covers some issues that
users have found confusing with forms authentication, such as the relationship
of the forms authentication ticket and the forms authentication cookie and
their relevant settings. I would like to thank Jerry Orman, technical lead for
the ASP.NET support team, for his incredible help!
wonder about forms authentication "tickets" and "cookies" because they are
closely related. I have come across questions such as these: Can anyone explain
the difference between the cookie expiration and the ticket expiration? When
the cookie expires, the user will be redirected to the logon page. What happens
when the ticket expires? Will it also make the cookie expire? What does
SlidingUpdate actually update?
I will focus on these two aspects of
Forms Authentication in this article to answer the following questions:
- What is forms authentication ticket and forms
authentication cookie? How are they related?
- What is the role of a ticket in Forms
- How are cookie expiration and ticket expiration
- How does sliding expiration work in the context of forms
authentication ticket and forms authentication cookie?
- Where can the time-out property of the forms authentication
cookie and forms authentication ticket be set?
- Issue scenario: The forms authentication may time out
before the timeout attribute value that is set in the configuration
What is forms authentication ticket and forms authentication cookie? How are
Forms authentication cookie is nothing but the container for forms
authentication ticket. The ticket is passed as the value of the forms
authentication cookie with each request and is used by forms authentication, on
the server, to identify an authenticated user.
However, if we choose
to use cookieless forms authentication, the ticket will be passed in the URL in
an encrypted format. Cookieless forms authentication is used because sometimes
the client browsers block cookies. This feature is introduced in the Microsoft
.NET Framework 2.0.
For more information, visit the following
Microsoft Developer Network (MSDN) Web site:
What is the role of a ticket in
The forms authentication ticket is used to tell the ASP.NET
application who you are. Thus, ticket is building block of Forms
The ticket is encrypted and signed using
configuration element of the server's Machine.config file.
ASP.NET 2.0 uses the decryptionKey
and the new decryption
attribute of the <machineKey>
element to encrypt forms authentication tickets. The decryption
attribute lets you specify the encryption algorithm to use.
ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering
with the ticket value is determined by a failure to decrypt the ticket on the
server. As a result, the user will be redirected to the logon page.
If the application is deployed in a Web farm, you must make sure that
the configuration files on each server share the same value for the validationKey
attributes in the <machineKey>
tag, which are used for hashing and decryption of the ticket
respectively. You must do this because you cannot guarantee which server will
handle successive requests. For more information about FormsAuthenticationTicket
encryption and Web farm deployment considerations, visit the
following MSDN Web site:
A walk through of methods to manually generate keys can be found
in the following Microsoft Knowledge Base articles:
How to create keys by using Visual C# .NET for use in Forms Authentication
create keys by using Visual Basic .NET for use in Forms Authentication
Forms authentication tickets can be generated
manually by using the FormsAuthenticationTicket
class. For more information, visit the following MSDN Web site:
How are cookie expiration and ticket expiration related?
In case of non-persistent cookie, if the ticket is expired, cookie
will also expire, and the user will be redirected to the logon page. On the
other side, if the ticket is marked as persistent, where the cookie is stored
on the client box, browsers can use the same authentication cookie to log on to
the Web site any time. However, we can use the FormsAuthentication.SignOut
method to delete persistent or non-persistent cookies
For more information about the FormsAuthentication.SignOut
method, visit the following MSDN Web site:
With cookieless forms authentication, if the browser is closed,
the ticket is lost and a new ticket will be generated on the next request.
How does sliding expiration work in the context of
forms authentication ticket and forms authentication cookie?
Sliding expiration works exactly the same way!
take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should
expire at 5:10 00:00:00 PM if the timeout
attribute is 10 and the slidingExpiration
attribute is set to TRUE. Now, if any Web page is browsed again
at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to
5:15 00:00:00 PM.Note
If the Web page is accessed before half of the expiration time
passes, the ticket expiration time will not be reset. Fore example, if any Web
page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout
period will not be reset.
For more information, visit the following
MSDN Web site:
Where can the time-out value of the forms authentication cookie
and forms authentication ticket be set?
The only setting that you can make is in the Web.config file or
the Machine.config file, in the <forms>
tag. This change will determine the time-out period of forms
authentication in the context of a ticket or cookie unless the ticket is
name="[cookie name]" - Sets the name of the cookie used for Forms Authentication.
loginUrl="[url]" - Sets the URL to redirect client to for authentication.
protection="[All|None|Encryption|Validation]" - Sets the protection mode for data in cookie.
timeout="[minutes]" - Sets the duration of time for cookie to be valid (reset on each request).
path="/" - Sets the path for the cookie.
requireSSL="[true|false]" - Should the forms authentication cookie be sent only over SSL?
slidingExpiration="[true|false]" - Should the forms authentication cookie and ticket be reissued if they are about to expire?
For more information, visit the following MSDN Web site:
If the ticket is generated manually by using the FormsAuthenticationTicket
class, the time-out can be set through the Expiration
attribute. This value will override the timeout
attribute value specified in configuration files.
more information about FormsAuthenticationTicket
members, visit the following MSDN Web site:
Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file
If the forms authentication ticket is manually generated, the
time-out property of the ticket will override the value that is set in the
configuration file. Therefore, if that value is less than the value in the
configuration file, the forms authentication ticket will expire before the
configuration file timeout
attribute value and vice-versa. For example, let's assume that
attribute is set to 30 in the Web.config file and the Expiration
value of the ticket is set to 20 minutes. In this case, the forms
authentication ticket will expire after 20 minutes and the user will have to
log on again after that.
Troubleshoot Forms Authentication
How to implement forms-based authentication in your ASP.NET application by using C# .NET
How to implement forms-based authentication in your ASP.NET application by using Visual Basic .NET
I hope you found this information helpful in easing
some of the confusion involved with ASP.NET forms authentication ticket and
cookie. Remember, the Support Voice columns are for you! As always, feel free
to submit ideas on topics you want addressed in future columns or in the
Microsoft Knowledge Base using the
Ask For It