c# - Cookie Confusion with FormsAuthentication.SetAuthCookie() Method - Stack Overflow[
^]
The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.
This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.
You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.
You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).
Another important thing to remember is the parameter
slidingExpiration:
if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.
What you can do - and what I've done - is to write your own cookie like this:
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1,
userName,
DateTime.Now,
DateTime.Now.AddMinutes(30),
true,
userData);
Differences: slidingExpiration vs time Expiration vs Persistent cookie ?
If IIS App Pool recyles? Shutdown worker process if idle and recycle worker process Authentication cookie not expires, Session expires.
If modify Global.asax or Web.config, or Bin folder ?