Persistent Cookie ( 4728 ) How to set .ASPXAUTH cookie's expires as session cookie?

Question

I am having medium security issues with scanning software [ Cookie Security: Persistent Cookie ( 4728 ) ]

Its seems that I used a persistent cookie. I have found some answers tell to not set expiration ,but I am using System.Web.Security. Therefore I must set expiration as below ,or the class would be wrong. The FormsAuthenticationTicket.cs is a temp class there I could not edit the class.

1. Is there ways to set .ASPXAUTH cookie as session cookie ?

2. Not matter authTicket.expiration as 30 min or 1 hour the ASPXAUTH cookie's expiration still one day. How to make it work?

3. I set the IIS and made cookie's expriation as 30 mins, the cookie disappear at the right time, but on browser cookie's expriation still one day.

Here is my FormsAuthenticationTicket code:

Controllers:

ar authTicket = new FormsAuthenticationTicket( 
                    version: 1,
                    name: _result.UserName,
                    issueDate: DTnow, DateTime
                    expiration:DTnow.AddHours(1),  
                    isPersistent: false, 
                    userData: _result.UserRank.ToString(), 
                    cookiePath: FormsAuthentication.FormsCookiePath
                    ); 
 var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket))
                {  
                    HttpOnly = true,
                    Secure = true  
                };

authCookie.Expires = DTnow.AddMinutes(30); 
if (authTicket.IsPersistent)
                {
                    authCookie.Expires = authTicket.Expiration;   
                    authCookie.Expires = DateTime.MinValue;   
                }
                Response.Cookies.Add(authCookie);

Web.config:

<system.web>
      <sessionState timeout="31"></sessionState>
<authentication mode="Forms">
  <forms loginUrl="~/AccountUser/Login" />
</authentication>
<compilation debug="true" targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
  <httpCookies httpOnlyCookies="true" requireSSL="true" /></system.web>

Global.asax:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        if (HttpContext.Current.User == null) return;
        if (HttpContext.Current.User.Identity.IsAuthenticated == false) return;
        if (Request.IsAuthenticated == false) return;

        FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
        FormsAuthenticationTicket authTicket = id.Ticket;
        string[] arrRolles = authTicket.UserData.Split(',');
        HttpContext.Current.User = new GenericPrincipal(HttpContext.Current.User.Identity, arrRolles);
    }

here is my IIS setting

Answer 1

I had found my answer. Here is my solution:

First, in Controller should not set "authCookie.Expires". I had set "authCookie.Expires = DateTime.MinValue" but that would be not work either !!

authCookie.Expires = DTnow.AddMinutes(30);  ---delete it ! 

Second, in Controller the FormsAuthenticationTicket's attribute isPersistent should be false !

FormsAuthenticationTicket( 
                version: 1,
                name: _result.UserName,
                issueDate: DTnow, DateTime
                expiration:DTnow.AddHours(1),  
                isPersistent: false, 
                userData: _result.UserRank.ToString(), 
                cookiePath: FormsAuthentication.FormsCookiePath
                ); 

Third, check the Web.config setting ,the <forms ' attribute should not show cookieless

<forms cookieless="UseDeviceProfile" loginUrl="~/AccountUser/Login" name=".ASPXAUTH" requireSSL="false" slidingExpiration="false" timeout="30" />

should be:

<forms  loginUrl="~/AccountUser/Login" name=".ASPXAUTH" slidingExpiration="false" timeout="30" />