“Sign me in automatically” in Forms Authentication

Now this is not just limited to SharePoint, but, since my main focus is SharePoint, this is where I come across this issue the most. When you log in with SharePoint via Forms Based Authentication, there is that little “Sign me in automatically” checkbox below the FBA login form. If you check this, you may realize that a few hours later, when you go to log back into the site, it does not seem to actually remember you at all. That is because by default, it will only remember you for 30 minutes. We can change this quite easily however… This option is controlled within your web application configuration file (web.config) on the server.

If you open this file directly, search for <authentication mode=”Forms”> under <system.web>, you will see, by default, this:

<authentication mode="Forms">
<forms loginUrl="/_login/default.aspx" />
</authentication>

You can also look in IIS as well, under the Configuration Editor feature in the Management section of the web application

If we expand system.web, and click on authentication

Now, the two options we want to look at in here are timeout, and sliding expiration…

The definitions for both of these settings are below, taken from MSDN.

When the SlidingExpiration is set to true, the time interval during which the authentication cookie is valid is reset to the expiration Timeout property value. This happens if the user browses after half of the timeout has expired. For example, if you set an expiration of 20 minutes by using sliding expiration, a user can visit the site at 2:00 PM and receive a cookie that is set to expire at 2:20 PM. The expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:09 PM, the cookie is not updated because half of the expiration time has not passed. If the user then waits 12 minutes, visiting the site at 2:21 PM, the cookie will be expired. (from: http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.slidingexpiration.aspx)

The amount of time in minutes after which the authentication expires. The default value is 30 minutes. (from: http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.timeout.aspx)

I suggest setting this to something much higher… if your users will generally log in once a month, setting this to a couple of months, will ensure they are remembered, and with sliding expiration configured, if they log in during the 3rd month, then the system will reset the time on that cookie, remembering them for another 3 months from that date. For sites which have users logging in less often, setting this to a year will be a decent bet that this will remember them for some time. A year in minutes would be: 525600

Hopefully this helps in your configuration of FBA for SharePoint, as well as other FBA applications.