SharePoint: How to change the expiration time of the FedAuth cookie
Working on a SharePoint application with the configured Form Based Authentication (FBA), I was asked to reduce somehow the expiration time of the FedAuth cookie. The default expiration time is 10 hours, that is too long for applications with sensitive data. I’d like to limit it with 20 minutes.
As known, the Security Token Service takes part in SharePoint Authentication by issuing, managing and validating security tokens. When the SharePoint Authentication process is initiated, the login and password are passed to the Security Token Service. The Security Token Service, in turn, generates a security token and passes it back to SharePoint. SharePoint then creates a FedAuth cookie based on the issued security token and adds it to the Response. Once the cookie is sent to the client it’s stored there in the local cookies folder. Every next request for the site is accompanied with the cookie, unless it’s expired. SharePoint reads the cookie from requests and provides access to the content without re-authentication.
The default expiration time is a setting of the Security Token Service. We can change it using such PowerShell command as
Set-SPSecurityTokenServiceConfig –FormsTokenLifetime [value in minutes]
That’s well described here. Note, however, if you change the setting it affects the whole SharePoint Farm, so FedAuth cookies issued for other applications will have the same expiration time. From that point of view, the solution isn’t acceptable for me.
Fortunately, I found an alternative way to change the expiration time so that it would impact particular application only. The solution turned out quite easy and straightforward. Within codebehind of the Custom Login page and after user is authenticated, we can just get access to the cookie placed in the Response object and forcibly set another expiration time. So, in my case I have the following code in the Custom Login page:
public partial class CustomLoginPage : FormsSignInPage
{
...
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
// subscribe to Authenticate event of the asp:Login control
signInControl.Authenticate += SignInControlOnAuthenticate;
}
private void SignInControlOnAuthenticate(object sender, AuthenticateEventArgs authenticateEventArgs)
{
// authenticate user
bool isAuthenticated = SPClaimsUtility.AuthenticateFormsUser(Context.Request.Url, signInControl.UserName, signInControl.Password);
if (isAuthenticated)
{
authenticateEventArgs.Authenticated = true;
// forcibly change the expiration time of the FedAuth cookie
HttpCookie cookie = Response.Cookies[0];
cookie.Expires = DateTime.UtcNow.AddMinutes(20);
// redirect user to somewhere
SPUtility.Redirect("some other url", SPRedirectFlags.Default, Context);
}
}
}
In the code above I set the cookie’s life time to 20 minutes. You can use the code to increase or decrease the default expiration time.
If you don’t use a Custom Login page, I believe (but didn’t test) it’s possible to achieve the same by employing a HttpModule with handler of the EndRequest event being fired by the HttpApplication object.