Forms Authentication Cookie Expiration

this is pretty confusing but it looks like i have to set both the "timeout" and "slidingExpiration" in my web.config under the authentication/forms section to get the RememberMe part to work correctly

i have it set like so and everything is working as expected

slidingExpiration="true" timeout="5120" 

rick strahl's blog helped me find the answer http://www.west-wind.com/WebLog/posts/157861.aspx

There's a detailed article on MSDN that explains how Forms authentication works and what are the available configuration options. Basically Forms authentication uses cookies (unless you specifically tell it not to). So you could set the expiration date for your Forms authentication cookies to 24 hours. But there's a catch. You probably need to roll your own Membership code, since by default, the timeout attribute of the forms element is also used to set the lifetime of the persistent cookie. And you don't want that. You'd want to set the expiration for your cookie to 24 hours.

The way it works is that after the user logs in, the Forms authentication cookie is created, and afterwards it's included along with each request until it expires. From the linked article: The Membership Provider has code similar to this when authenticating a user:

if (Membership.ValidateUser(userName.Text, password.Text))
{
    if (Request.QueryString["ReturnUrl"] != null)
    {
        FormsAuthentication.RedirectFromLoginPage(userName.Text, false);
    }
    else
    {
        FormsAuthentication.SetAuthCookie(userName.Text, false);
    }
}
else
{
    Response.Write("Invalid UserID and Password");
}

You can create a Forms Authentication ticket using the FormsAuthenticationTicket class:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
        "cookieName",
        DateTime.Now,
        DateTime.Now.AddHours(24), // value of time out property
        false,
        String.Empty,
        FormsAuthentication.FormsCookiePath);

Forms authentication uses the Encrypt method for encrypting and signing the forms authentication ticket:

string encryptedTicket = FormsAuthentication.Encrypt(ticket);

Create the cookie:

HttpCookie authCookie = new HttpCookie(
                            FormsAuthentication.FormsCookieName, 
                            encryptedTicket);

Add the cookie to the cookie collection:

Response.Cookies.Add(authCookie);

And that should be about it.

You probably need to roll your own cookie, because by default, the timeout property that you specified for your forms is the one that's going to be used for the cookie timeout. So in your example:

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" timeout="15" slidingExpiration="true"/>
</authentication>

The cookie's timeout will be 15 minutes also. Probably the easier approach in your case would be to handle your enforced 24-hour timeout using a session variable. Since you'd only hit that if the user was actually active during that period (otherwise it would have timed-out from the cookie). So you could just terminate a Session if had been active for over 24 hours.