Sorry about the caps.

I found out something interesting yesterday.

As some developers know, and some haven't noticed, in ASP.NET 1.0 and 1.1 Microsoft took the approach to cookies that the developer should be able to just set a cookie and not worry about it every again in their career. What you say?

I am just commenting on the fact that the default expiration for a cookie in ASP.NET 1.0 and 1.1 is 50 years.

Interestingly enough, someone at Microsoft said 'Hey.'. Yes, they actually said 'Hey.'. Then they commented on the fact that a 50 year expiration on everyones cookie on every ASP.NET site in the whole wide world probably isn't the cleanest solution. Nor the most secure.

Their reaction? The default cookie expiration in ASP.NET 2.0 is 30 minutes.

Thats a pretty substantial change, and something that could catch you off guard, especially since your clients existing cookies don't get eaten, you new clients do, and you could come to think your new release has some issue.

Anyhow, I just think that there should have been a more suitable expiration set. For a truly 'I need more security site' 30 minutes is good. Hell, those people are probably using session based cookies anyhow, and at the least, they already knew to change the timeout on their cookie.