FormsAuthenticationTicket and Persistence

I have been playing around with putting forms based authentication on a site I am building.  I would like to store a piece of information in the authentication ticket and persist that cookie on the client between sessions.  So naturally, I searched around the net and kept coming across some code that looks something like this:

if (FormsAuthentication.Authenticate(UsernameTextBox.Text, PasswordTextBox.Value))
     FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
     string encryptedTicket = FormsAuthentication.Encrypt(ticket);
     HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);
     Response.Redirect(FormsAuthentication.GetRedirectUrl(UsernameTextBox.Text, true));

The only problem is that the authentication ticket doesn’t stick around between sessions even though I pass true to the isPersistent parameter of the FormsAuthenticationTicket constructor.  Each time I start a new browser up, I find that I am no longer authenticated.  So what’s the problem? 

If you don’t specify the cookie’s expiration date, it expires when you close the browser, right?  The solution is to add the following line before adding the cookie to the Response.Cookies collection:

     authenticationCookie.Expires = ticket.Expiration;


Comments (11)
  1. Mads Nissen says:

    i’ve been ignoring just this issue for a couple of weeks now with a user management system i’m working on. thanks tosh! you probably just saved me a couple of hours:)

  2. t says:

    i want to expirea ticket before its persistentene period ends

    say if it persists for 3 hrs

    i want it to expire after 1 hr?

  3. B. Mondragon says:

    Thanks for this! Works great, saved me time and more frustration. It seems so obvious once it’s explained… yet somehow it was too difficult to "figure out".

  4. Enzo says:

    Ey thanks! So lucky that you’r on the first page of google when I tried searching "formsauthentication ticket" persistence were really my problem 😀 ; thanks a lot for your article

  5. Oreo says:

    Well, the problem now is that you will always have a persistent cookie even if you don’t want to have a persistent cookie. ???

    Response.Redirect(FormsAuthentication.GetRedirectUrl(UsernameTextBox.Text, FALSE));

  6. Raj says:

    My problem is that no matter what I seem to do I ALWAYS have a persistent cookie even though I specified that I didn’t want a persistent cookie.

    The problem with persistent cookies is that when someone changes the web.config file (and the application restarts) .NET doesn’t clean up the persistent cookie and you will find that HttpContext.Current.User will still be the user logged in prior to application start. I haven’t completed my research yet but right now I’m assuming this has something to do with persistent cookies.

    That said with the amount of luck I’ve had resolving this problem I wouldn’t be surprised if this assumption was wrong.

  7. Kayes Lim says:

    This thing is bugging me the whole of tis morning.

    Causes me indigestiable lunch. 🙂

    Thank god for google!

  8. Micheal Habre says:

    Dear Sir,

    I have a question on the cookie we store on the client’s machine.

    thenext time the user comes in, how am i checking to see if there is a cookie on the client machine or not ? Am i just using Application_AuthenticateRequest method in the global.asax to check if a cookie exists ?

  9. jkowalski says:

    if (ticket.IsPersistent)


    cookie.Expires = ticket.Expiration;


  10. Jorin Slaybaugh says:

    Amen. Thank God for Google and Tosh!

Comments are closed.

Skip to main content