基于表单认证的站点, 默认地, SharePoint会创建一个使用permanent cookie的固定为十小时的session. 这意味着, 即使你关掉了你所有的浏览器窗口, 然后重开, 你的session还是存在的, 你还是处于登录过的状态. 想要登出的话, 就得去显式地log out.
这种session persistence cookie有些好处, 尤其是在使用Office客户端应用程序做Single Sign-on的时候. 比如说, 你用Word, Excel, PowerPoint从SharePoint打开文档的时候, 你不需要重新输入用户名和密码.
注意, 这里有个需要把站点加入Trusted Sites的要求, 详细请见这里.
Claim Based Authentication的站点会使用Cookie么, 如果用的话, 这个cookie是基于session的么?
使用ADFS 2.0的Claim Based Authentication的站点, 用户会从Active Directory Federation Services (AD FS) 2.0那里拿到一个logon cookie.
下面的文字摘录自这里, 描述了用户登录过程中ADFS 2.0, SharePoint 2010, 用户, 浏览器的交互过程.
First, a brief background. The first time that you navigate to a Microsoft SharePoint 2010 site that is secured with SAML claims, it redirects you to get authenticated and get your claims. Your SAML identity provider, also known as identity provider security token service (IP-STS), does all that and then redirects you to SharePoint. When you come back into SharePoint 2010, SharePoint creates a FedAuth cookie; that is how SharePoint knows that you have been authenticated. To make a smoother end-user experience, SharePoint writes the FedAuth cookie value to the local cookies folder. On subsequent requests for that site, if SharePoint finds a valid FedAuth cookie for the site, SharePoint reads the cookie and takes you directly to the SharePoint content, without reauthenticating.
This can be a bit of a jolt to those of you who are used to using AD FS 1.X and Microsoft Office SharePoint Server 2007 because, when using them, all web single sign-on (SSO) cookies are session-based, so we did not save them to disk. When you closed your browser, for example, the cookie went away; you had to reauthenticate each time that you closed and opened your browser.
That is not the case with SharePoint 2010. But you can make a change to the SharePoint security token service (STS) to make it work with session cookies again, as it did in Office SharePoint Server 2007. The following Windows PowerShell code makes the change.
$sts = Get-SPSecurityTokenServiceConfig $sts.UseSessionCookies = $true $sts.Update() iisreset
参考资料
=====================
SharePoint 2010 Session Management
http://blog.petercarson.ca/Pages/SharePoint-2010-Session-Management.aspx
SharePoint 2010 FBA and Sliding Sessions
http://blogs.msdn.com/b/scicoria/archive/2011/06/10/sharepoint-2010-fba-and-sliding-sessions.aspx
Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users