Spelunking around with ASP.NET forms auth I got a bit of a surprise this morning. The last time I checked, in 1.x ASP.NET assigned a persistent forms cookie an expiration date that was 50 years in the future. But the code looks very different in 2.0. If you ask for a persistent cookie, you get one with an expiration equal to DateTime.Now.AddMinutes(T), where T is the timeout that you've configured for Forms login (which defaults to 30 minutes).

This may surprise you (and your users) if you're upgrading to 2.0, so be aware. It's certainly better from a security point of view not to assign a login cookie that lasts for 50 years. But it changes things pretty dramatically from a usability standpoint, and there's always that tradeoff...

Keith