Forms authenitcation timeout does not seem to work, what am I doing wrong?

1
votes

The ASP.NET application kicks out the users after 20 min even though it has the following in the Web.config and the users are posting the forms:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>

Reading this I am getting an impression that I need to add sliding expiration AND sessionState set to at least 2880 in order to achieve at least 48 min timeout that would be re-started every time the user does a POST.

Is that correct?

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true"/>
</authentication>

<sessionState mode="InProc" cookieless="false" timeout="3000" />
1
asp.net
I suggested this as an edit, but since it does appear you were referring to 48 minutes instead of 48 hours then it is worth noting that the timeout values are in minutes so 2880 is actually 48 hours. - Matthew
Yes, the intent of the site developer was to use 40~something min for a timeout and they probably got the number wrong. I just need to overcome the default 20 min timeout. - ajeh

1 Answers

1
votes

Authentication and session state are different entities. The timeout attribute under the authentication tag sets the time before the authentication cookie expires (in minutes). You can actually view the cookie itself in the Chrome browser within Developer Tools -> Resources -> Cookies (.ASPXAUTH is the default name). By setting sliding expiration equal to true, you will renew the cookie each time an authenticated user submits a request.

Session state is controlling the amount of time before the session expires. Once again, submitting a request will reset the timer. In many scenarios, web applications will require both the authentication cookie to be valid and the session to be current in order for the user to remain logged in. It's also often a bad idea to set the session timeout to a very long value (more than a couple hours) for security reasons. If you did want to maintain the current session for a long period of time regardless of activity, however, you would set the timeout value as you have done.

In your case, it sounds like you do need to set both timeout values to the desired amount of time if you want the user to remain logged in even despite inactivity.