0
votes

I've an MVC3 website in which I've to redirect the users to the login page if the session timeout expires. After some research, I've got that I have to add to the web.config

<sessionState mode="InProc" cookieless="false" timeout="1"></sessionState>

to set the user session timeout. In this case, if the user is idle it will clear the user session data after 1 min. I've added this

<authentication mode="Forms">
      <forms loginUrl="~/Default/Login" timeout="1"/>
    </authentication> 

to redirect the user to the login page in case of session times out. Actually, It works but I've some questions to understand exactly what is happening:

  1. What is the relation between these 2 tags? what is the dependency between them?
  2. Is it mandatory to put the timeout attribute = 1 for both tags?
  3. Is there a better approach that I can follow to accomplish what I need.

Thanks in advance.

2
For #3 you never explained what your "need" is. - Jason Foglia

2 Answers

0
votes

The difference between SessionState and Forms Authentication is:

SessionState: A session is created for every request to your application. Which would have its own timeout.

Forms Authentication: Authentication is created when a user authenticates with your application. Which also would have its own timeout. This timeout value is stored as part of a Ticket, the Ticket is encrypted and stored in a cookie or URL (cookieless authentication), I believe.

If you want to end a users authentication based on the session, you will have to write that into your application. The only reason I would do this is if, I stored authenticated data in a the session, so to cross requests.

-2
votes

The sessionState element configures session-state settings for the current application. When a new client begins interacting with a Web application, a session ID is issued and associated with all the subsequent requests from the same client while the session is valid. This ID is used to maintain the server-side state that is associated with the client session across requests. The element controls how the ASP.NET application establishes and maintains this association for each client. This mechanism is very flexible and lets you host session-state information out of process and track state without using cookies, among other things.

Timeout: Specifies the number of minutes a session can be idle before it is abandoned. The timeout attribute cannot be set to a value that is greater than 525,601 minutes (1 year) for the in-process and state-server modes. The session timeout configuration setting applies only to ASP.NET pages. Changing the session timeout value does not affect the session time-out for ASP pages. Similarly, changing the session time-out for ASP pages does not affect the session time-out for ASP.NET pages. The default is 20 minutes.

Forms Authentication: - This is a cookie based authentication where username and password are stored on client machines as cookie files or they are sent through URL for every request. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.

All your questions are answered with above description