There are 2 timeout values in the web.config file that are important for making the "Remember Me" functionality.
The first one is the FormsAuthentication.Timeout. This timeout is used to set expiration timestamp of the .ASPXAUTH cookie. the .ASPXAUTH cookie allow you to bypass the login page without entering username and password. When authentication timeout, the system “forgets” you. But the system won’t kick you out or give you a Session Timeout Error because it has nothing to do with the timeline of the session object on the server.
<authentication mode="Forms"><forms loginUrl="~/Account/Login" timeout="2880" /></authentication>
The second one is the HttpSessionState.Timeout. This timeout is kept in the session manager or SQL table depending on which session storage mode is configured. After session timeout, the system kicks you out and give you a Session Timeout Error.
<configuration><system.web><sessionState mode="InProc" cookieless="true" timeout="30" /></system.web></configuration>
When a user visits the login page for the very first time, ASP.NET creates the ASP.NET_SessionId cookie. This cookie will always have expiration set to “Session”.
If a cookie has expiration timestamp "Session", that cookie is stored only in the memory of the browser as described on MSDN about Writing Cookies.
If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser or if the session times out, the cookie is discarded. A non-persistent cookie like this is handy for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk.
When the cookieless attribute setting is false, the session-state module actually creates a cookie named ASP.NET_SessionId and stores the session ID in it.
…A session cookie is given a very short expiration term and is renewed at the end of each successful request.
However, I could not confirm that this behavior still holds. In other words, the exact same cookie is re-used for every HTTP requests.
A much more important point is that developers have no control over the expiration of the ASP.NET_SessionId cookie. ASP.NET always set its expiration to “Session” so that you have to login again if you close the browser, clear the cookies, or log out. The logout page is supposed to do 2 things:
Session.Abandon(); // start a new session on server side and replace the existing ASP.NET_SessionId cookie with a new oneFormsAuthentication.SignOut(); // expires the .ASPXAUTH cookie
When “Remember Me” is not selected
If the session expires on the server side, or Session.Abandon is called, a new session is created on the server side. The new session will have new ID and won’t match the ID in the ASP.NET_SessionId cookie stored in the browser’s memory. This mismatch is originated from the server. The mismatch may be originated from the client as the user closes the browser or tell the browser to clear cookies.
In either case, the mismatch results in session not found. ASP.NET applications generally throw Session Timeout Error because it has nowhere else to look.
When "Remember Me" is selected
If session expires, renewed, or the ASP.NET_SessionId cookie is lost or cleared, ASP .NET can still see the .ASPXAUTH cookie with an expiration timestamp explicitly set.
If a user selects "Remember Me" option, then leave the system for an extended period of time. When he or she gets back to the system, the .ASPXAUTH cookie will NOT resume a previous session. Instead, a new session is created and the user is redirected to the login page. It is the login page which will extract information (FormsAutheticationTicket) from the the .ASPXAUTH cookie and redirect the user to home page or back to the originally requested url as if the user enters the correct username and password again.
“Remember Me” in complex systems
The "Remember Me" functionality provided by Microsoft will not be adequate if the application needs to do more than matching username and password. For example: a multi tenant application needs the user to identify the client, database or table to log in. In this case, the application has to put extra information into the .ASPXAUTH cookie.
If you need to put extra information into this cookie, you need to take the following steps:
- When you serve the login page, try to read the .ASPXAUTH cookie. If the extra information could be read from the cookie, you can redirect the user away from login page to home page or other pages.
- When the user submits login information, you need to put the extra information into the FormsAuthenticationTicket. See How to Add Custom Info to Authentication Cookies.
The login flow: