| Option |
Default |
Description |
| name |
.ASPXAUTH |
Describes the name of the HTTP cookie to use for authentication (defaults to .ASPXAUTH). If multiple applications are running on the same web server, you should give each application’s security cookie a unique name. |
| loginUrl |
login.aspx |
Defines which page the user should be redirected to in order to log into the application. This could be a page in the root folder of the application, or it could be in a subdirectory. |
| timeout |
30 |
Gives the number of minutes before the cookie expires. ASP.NET refreshes the cookie when it receives a request, as long as half of the cookie’s lifetime has expired. The expiry of cookies is a significant concern. If cookies expire too often, users will have to log in often, and the usability of your application may suffer. If they expire too seldom, you run a greater risk of cookies being stolen and misused. |
| slidingExpiration |
false |
This attribute enables or disables sliding expiration of the authentication cookie. If enabled, the expiration of an authentication cookie will be reset by the runtime with every request a user submits to the page. This means with every request the expiration of the cookie will be extended. |
| cookieless |
UseDeviceProfile |
Allows you to specify whether the runtime uses cookies for sending the forms authentication ticket to the client. Possible options are AutoDetect, UseCookies, UseUri, and UseDeviceProfile. |
| protection |
All |
Allows you to specify the level of protection for the authentication cookie. The option All encrypts and signs the authentication cookie. Other possible options are None, Encryption (encrypts only), and Validation (signs only). |
| requireSSL |
false |
If set to true, this property has the effect that the browser simply doesn’t transmit the cookie if SSL is not enabled on the web server. Therefore, forms authentication will not work in this case if SSL is not activated on the web server. |
| enableCrossAppRedirects |
false |
Enables cross-application redirects when using forms authentication for different applications on your server. Of course, this makes sense only if both applications rely on the same credential store and use the same set of users and roles. |
| defaultUrl |
Default.aspx |
If the FormsAuthenticationModule redirects a request from the user to the login page, it includes the originally requested page when calling the login page. Therefore, when returning from the login page, the module can use this URL for a redirect after the credentials have been validated successfully. But what if the user browses to the login page directly? This option specifies the page to redirect to if the user accesses the login page directly by typing its URL into the address bar of the browser. |
| domain |
Your host |
Specifies the domain for which this cookie is valid. Overriding this property is useful if you want to enable the cookie to be used for more applications on your web server. |
| path |
/ |
Notes the path for cookies issued by the application. The default value (/) is recommended because case mismatches can prevent the cookie from being sent with a request. |