What is the best practice for SharePoint Cookie management and session management for Forms Based Authentication (FBA) ? RRS feed

  • Question

  • Can someone please tell me how exactly we should configure different cookie lifetimes and session timouts for SharePoint Forms Based authenticated website?

    I came across following lifetimes:

    1. LogonTokenCacheExpirationWindow

    2. FormsTokenLifetime

    3. CookieLifetime

    4. CookieLifetimeRefreshWindow

    Could you please explain relation between these values, and how these values affect each other?

    Thursday, February 9, 2017 11:07 AM

All replies

  • Hi Sumit,


    This lifetime has a direct impact in how often the user will need to authenticate. When the user makes a request, the token in the cache is checked and if it is expired, then the user needs to authenticate again.


     SharePoint stores the authentication/session (FEDAUTH) cookie as a persistent cookie on disk. This allows the user to close and reopen their browser and access SharePoint without having to re-authenticate. This behavior is not always desirable.


    The lifetime of a token in the cache is deducted the window value when checking if it is expired. This means that the real lifetime of the token will be less than expected. The following diagram can be helpful to understand when a token is valid and the roles the lifetime and window play in the expiration.

    CookieLifetimeRefreshWindow is similiar with LognTokenCacheExpirationWindow which will affect the cookie refresh time interval.

    More information:

    SharePoint 2013 authentication lifetime settings

    SharePoint Authentication and Session Management


    Best Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, February 10, 2017 8:48 AM
  • Hi Jerry,

    Thanks a lot for your quick reply and the information you provided is really very helpful.

    Still I have one doubt, that SharePoint gives "expires" time in the Authentication.login response for forms based authentication.

    Is this expires time calculated considering all other impacting factors like LogonTokenCacheExpirationWindows and many other factors keeping into consideration?

    So basically can I only rely on FedAuth cookie expires time to refresh the FedAuth cookie after the expiry time again and go ahead with SharePoint access smoothly? Or do I need to manually subtract the other depending factors from this expires time?

    Thanks & Regards,

    Sumit Deshinge

    Friday, February 10, 2017 9:58 AM
  • Hi Sumit,

    Yes, the expires time for the Authentication response will be affected by LogonTokenCacheExpiorationWindows, it will affect the token cache lifetime and once the cache expired, then user will reenter the credentials. And yes, we can refresh the cookie to make authentication work. 


    Best Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, February 13, 2017 8:46 AM
  • Hi Jerry,

    Thanks for clarification.

    But still I require clarity on whether I can rely only on "expires" field of response from Authentication.login call ( ?

    Does this "expires" field in the response is given by sharepoint by considering all other affecting factors? So that I can safely refresh the cookie only using this time. (that means expires time in the response has been calculated by using other cookie lifetimes)


    Sumit Deshinge

    Monday, February 13, 2017 9:35 AM
  • Hi Sumit,

    The expires will depend on when the user log in, for example if a user log in at 5:00pm and then token life is set to 10 min, then it will make user authenticate again after 5:10 pm again when user access other pages.


    Best Regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, February 14, 2017 8:22 AM
  • Hi Jerry,

    I found this old conversation and hope I can send an additional question here.

    I am totally aware how a token expiration time is calculated. What I cannot find is what is the role of "LogonTokenCacheExpirationWindow" parameter in general in the designed authentication model.
    Why do we need to adjust "WindowsTokenLifetime" instead of setting the required value into it?
    I mean instead of using windowstokenlifetime=10 and LogonTokenCacheExpirationWindow=2 why isn't it designed to just use windowstokenlifetime=8 without expiration window?
    I have a suggestion but never saw any confirmation that during expiration window (2 last minutes in the 10 min lifetime from the example) SAML token is updated automatically without prompting the user for a password... but then it becomes a sliding token expiration which is not stated as a default behavior.

    So, why do we use "LogonTokenCacheExpirationWindow" at all while the model can be simpler?


    Thursday, May 31, 2018 10:20 AM