Configures an ASP.NET application for custom forms–based authentication.

<authentication mode="Windows">
   <forms 
      name=".ASPXAUTH" 
      loginUrl="login.aspx" 
      defaultUrl="default.aspx" 
      protection="All" 
      timeout="30" 
      path="/" 
      requireSSL="false" 
      slidingExpiration="true" 
      cookieless="UseDeviceProfile" domain="" 
      enableCrossAppRedirects="false">
      <credentials passwordFormat="SHA1" />
   </forms>
   <passport redirectUrl="internal" />
</authentication>

<forms> Element

loginUrl Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is default.aspx.

name Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

timeout Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.

slidingExpiration Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expiration upon each request during a single session.

true Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. The default for version 1.0 of ASP.NET was true.

false Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time it was originally issued. The default is false.

defaultUrl

Optional attribute.

Defines the default URL that is used for redirection after authentication.

This attribute is new in the .NET Framework version 2.0.

The default is "default.aspx".

path

Optional attribute.

Specifies the path for cookies that are issued by the application.

The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.

上面的部分属性可以在IIS中进行配置

<authentication mode="Forms">  
  <forms loginUrl="member_login.aspx"  
    cookieless="UseCookies"  
    path="/MyApplication" />  
</authentication>  

FormsAuthentication类中的静态字段

https://stackoverflow.com/questions/879321/formsauthentication-formscookiepath

https://www.quirksmode.org/js/cookies.html

Domain and path

Each cookie also has a domain and a path. The domain tells the browser to which domain the cookie should be sent. If you don't specify it, it becomes the domain of the page that sets the cookie, in the case of this page www.quirksmode.org.
Please note that the purpose of the domain is to allow cookies to cross sub-domains. My cookie will not be read by search.quirksmode.org because its domain is www.quirksmode.org . When I set the domain to quirksmode.org, the search sub-domain may also read the cookie.
I cannot set the cookie domain to a domain I'm not in, I cannot make the domain www.microsoft.com . Only quirksmode.org is allowed, in this case.

The path gives you the chance to specify a directory where the cookie is active. So if you want the cookie to be only sent to pages in the directory cgi-bin, set the path to /cgi-bin. Usually the path is set to /, which means the cookie is valid throughout the entire domain.
This script does so, so the cookies you can set on this page will be sent to any page in the www.quirksmode.org domain (though only this page has a script that searches for the cookies and does something with them).

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path

HttpCookie

Provides a type-safe way to create and manipulate individual HTTP cookies.

The HttpCookie class gets and sets properties of individual cookies. The HttpCookieCollection class provides methods to store, retrieve, and manage multiple cookies.

ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of the HttpRequest object contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the Cookies collection of the HttpResponse object contains new cookies created on the server and transmitted to the client in the Set-Cookie HTTP response header.

HttpCookie.Path

Gets or sets the virtual path to transmit with the current cookie.

The virtual path to transmit with the cookie. The default is /, which is the server root.

The Path property extends the Domain property to completely describe the specific URL to which the cookie applies.

For example, in the URL http:/www.microsoft.com/asp, the domain is www.microsoft.com and the path is /asp.

HttpCookie.Domain

Gets or sets the domain to associate the cookie with.

The name of the domain to associate the cookie with. The default value is the current domain.

Setting the Domain attribute limits transmission of the cookie to clients requesting a resource from that domain.

启用windows 授权的话，需要在IIS中打开，参考https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/configuring-windows-ad-authentication

sessionState Element (ASP.NET Settings Schema)

https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx

timeout

Optional TimeSpan attribute.

Specifies the number of minutes a session can be idle before it is abandoned. The timeout attribute cannot be set to a value that is greater than 525,600 minutes (1 year) for the in-process and state-server modes.

The session timeout configuration setting applies only to ASP.NET pages. Changing the session timeout value does not affect the session time-out for ASP pages. Similarly, changing the session time-out for ASP pages does not affect the session time-out for ASP.NET pages.

The default is 20 minutes.

https://msdn.microsoft.com/en-us/library/ms178581.aspx