Advanced form options

Advanced form options enables you to configure the following:

  • Under Cookie Settings, you can provide a name for the cookie that Microsoft Forefront Threat Management Gateway provides to the client after forms-based authentication has succeeded. From the drop-down list, you can select whether the cookies are persistent (continue to exist on the client after the session ends) on all computers, only on private computers, or never.
  • Under Client Security Settings, you can select:
    • Treat as maximum idle time, to set a time-out based on the amount of time that the client is idle.
    • Treat as maximum session duration, to set a time-out based on the session length. Then provide time-outs for public and private computers, which will be used to establish the maximum idle time or maximum session length.
    • Apply session timeout to non-browser clients, to apply the session timeout period to clients that are not browser-based (such as Outlook RPC/HTTP and ActiveSync.


When a session reaches the time-out threshold, clients are required to log on to the session using their user credentials.
When you configure a time-out for forms-based authentication, we recommend that the time-out be shorter than that imposed by the published server. If the published server times out before the Forefront TMG computer, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by Forefront TMG as configured on the form setting.
Use persistent cookies to allow opening documents from Microsoft Windows SharePoint Services without the need to reauthenticate.
Note the following security issues related to persistent cookies:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.