ASP.NET非永久cookie（又称会话cookie）对于某些用户而言没有超时

Question

I have an ASP.NET MVC Web project that uses non-persistent cookie (aka session cookie). The requirement is that a logged in session will time out either after 30 mins of inactivity or, users closes the web browser.

The project is in production, and some users reported that they don't need to login after days of usage. But they have to login at the beginning of using the project. The defect cannot be replicated on Testing Servers so far. Again, the defect don't happen for every user, and happens to some users after some usages.

Below is main code:

1) use cookie.Expires = DateTime.MinValue ; //create non-persistent cookie.

2) Use FormsAuthentication.Encrpt() method to encrypt ticket

3) Use form element in web.config timeout attribute to validate timeout

The code above explains the main logic.

Any idea?

Answer 1

Actually, setting cookie.Expires always create persistent cookie if the date is in future or deletes the cookie if the date is in the past.

The line

cookie.Expires = DateTime.MinValue;

is somewhat confusing then. It looks like you are deleting the cookie so that when it gets to the client, it should be invalidated by the browser. The information you provide is not consistent then.

To have non-persistent cookies, never touch the Expires property. Instead, set the valid date inside the FormsAuthenticationTicket . The cookie will then hit the server but the ticket inside will make it invalid. Token validity and cookie expiry date are two unrelated dates and you should rely on the first one.

My guess is that for some users, the first page can possibly be read from the browser cache. Firefox caches aggresively and we have observed such behavior. One of possible ways to work this around is to turn of caching at the page level so that the browser is told to always ask the server for the newest version of the page and thus users have to relogin.