SharePoint 2010: Changing the cookie expiration for Forms Authentication

We have several claims based site on which we use Forms based authentication alongside Windows based authentication. The forms based users were regularly complaining that the “Remember me” checkbox “wasn’t working”. Well as usual, it seemed to work for me so at first, I blamed it on cookie policies, cleaner tools, stuff like that. But the comments were persistent so I began digging a little deeper.

First, I thought altering the web.config would suffice. In normal ASP.NET web applications, you can edit the tag and add a timeout for the cookie. But SharePoint handles the cookies for itself, so changing those parameters doesn’t really do anything.

So what’s the way to change it then? The power lies in the service handling the security token requests: the SecurityTokenService. Configuring a longer timeout proves to be quite easy using Powershell. Use these commands:


$sts = Get-SPSecurityTokenServiceConfig
$sts.FormsTokenLifetime = (New-TimeSpan -Days 90)
$sts.WindowsTokenLifetime = (New-TimeSpan -Days 90)
$sts.ServiceTokenLifetime = (New-TimeSpan -Days 90)
$sts.Update()

It’s quite straightforward: the FormsTokenLifetime configures how long forms tokens are valid. The WindowsTokenLifetime does the same for issued Windows tokens. The ServiceTokenLifetime sets the timeout for the security token service cache.

You can check if the timeout changed by using Firefox and inspecting your cookies before changing the settings. Compare the cookie expiration date to the date your get after changing the values. Make sure to delete the cookies first, so new ones are issued. If the settings were correctly updated, the expiration date should have slided.

If you want to implement a sliding expiration, check out this blog post: http://blogs.southworks.net/fboerr/2011/04/15/sliding-sessions-in-sharepoint-2010/

Leave a Reply

Your email address will not be published. Required fields are marked *