Time outs in asp.net web config settings and security

1
votes

I was researching on forms authentication in ASP.NET and got stuck with the various time-out settings found in a sample code. In the web.config itself two time outs are specified. One is sessionState timeout="30" and under authentication settings forms loginUrl="Login.aspx" protection="All" path="/" timeout="60"

Apart from these, in the login page C# the FormsAuthenticationTicket another time as shown below 

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                       1,
                       tableObject.Rows[0]["UserName"].ToString(),
                       DateTime.Now,
                       DateTime.Now.AddMinutes(40),
                       true,
                       "AuthenticatedUser",
                       FormsAuthentication.FormsCookiePath);

How these time outs are actually working and what is the preferred settings to ensure good protection to the pages?

3
c#asp.net.net

3 Answers

2
votes

HttpSessionState.Timeout Property Gets and sets the amount of time, in minutes, allowed between requests before the session-state provider terminates the session. The Timeout property can be set in the Web.config file for an application using the timeout attribute of the sessionState configuration element, or you can set the Timeout property value directly using application code.

<configuration>
  <system.web>
    <sessionState 
      mode="InProc"
      cookieless="true"
      timeout="30" />
  </system.web>
</configuration>

A session starts every time a new user hits the website, regardless of whether or not they are anonymous. Authentication has very little to do with Session.

On the other hand Authentication timeout (which is under authentication settings )is the amount of time that the authentication cookie is good for on the user's browser. Once the cookie expires, they must re-authenticate to access protected resources on the site.

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
  </authentication>
</system.web>

So, if Session times out before the Authentication cookie - they are still authenticated, but all their session variables disappear, and may cause errors in your website if you are not disciplined in checking for nulls and other conditions brought about by missing session.

If Authentication times out before the session, then all their session variables will still exist, but they won't be able to access protected resources until they log back in again.

if your session times out after 20 minutes, your session-variables will be lost. but the user could access the pages which are protected by the authentication.

if the authentication times out, the user could not access the page which it protects, and the state of the session is irrelevant.

I just want to add that there is another important timeout setting that exist in IIS at the application pool level. IIS will restart the pool after the specified idle timout has reached, so to make the allocated resources free. You should make sure this pool idle timeout is always greater than the above two mentioned timeouts, or you will get errors regardless of what the session or forms timeout is set to

This stuff is very trivial and you and find more on this on MSDN.

1
votes

Forms Authentication Timeout is related only to authentication of the user, It decides how long a user is recognized and remains authenticated in case of any lack of inactivity and the Session timeout usually deals with the cached data stored on server ( can be In Memory, SqlServer etc..), and indicates how long to preserve users session in case of any inactivity.

When a user hits a website, a Session is created for the user. This user may be anonymous or authenticated.

When using Forms Authentication ( with Cookies , suppose ), after the specified timeOut value, Cookie expires and users are no longer authenticated. However, you may had stored data in session for the authenticated user , but the session data will be removed from server when the session timeout value is reached.

Put simply: A user may /may not remain authenticated depending on Authentication timeout value.

The same user's specific data in session ( such as Background themes ) may/may not remain in session depending on Session Timeout value.

Similarly, when using no Authentication forms, you can still store data in session for anonymous users. A user can close his browser( meaning NO longer checking your website ), again the session data will be removed from server when the session timeout value is reached.

0
votes

Use google as much as you can you will learn this asap.

However SessionState timeout is used for session time i.e. How much time the session will live for.

FormAuthentication Timeout is used when you login with FormAuthetication i.e. Time set at this point user will logout when he is idle for this particular time