Sitefinity Authentication Expiration

A common misconception when filling a login form is that if you check the "Remember me on this computer" check box you will be remembered on this computer forever. The actual behavior that this checkbox controls is whether the authentication cookie that is issued as a proof of your successful authentication will be session-based or will have an expiration time. Furthermore, as with all other cookies, it is stored per browser and not per machine. The word "machine" is used to remind the client that he should trust the machine not just the browser when choosing whether to persist authentication data.

Now let's go back to the cookie and its expiration. Session cookies do not have expiration date and are designed to be deleted as soon as you close your browser. If the expiration date is set, the browser is supposed to delete this cookie once it has expired. Here is a complication - since those cookies are stored on the client, their properties can't be trusted which is why the expiration time is also encrypted and stored as part of the cookie's content. That expiration time can't define the retention policy as session because the browser which defines what a session is can't decrypt it.

A logical question that we commonly address is: why not set the expiration time of the cookie 10 years from now by default and not worry about those irritating login screens for all Sitefinity CMS clients anymore? Well, the thing is that an attacker can easily steal a cookie and if this cookie is valid forever, this means that he can always authenticate as yourself in that system and nothing short of two step authentication can prevent this from happening.

Therefore we leave it to you to decide what the expiration time of those authentication cookies should be by setting the “AuthCookieTimeout” in "~Sitefinity/Administration/Settings/Advanced/Security" configurations section.

Please note that In 7.0 we fixed a problem that in Claims authentication was causing the authentication cookie to expire 10 hours after it has been issued regardless of the configuration settings.