I have a ASP.NET website which uses forms authentication. The timeout is twenty minutes.
I have noticed that if a user half completes a form, and is then timed out, they are redirected to the login page, fill it in, and are redirected back to the form but with EMPTY controls.
I had prevously assumed that ASP.NET would use some skulduggery to repopulate the form controls when this happens.
Are there changes I can make to make sure it does?
I think the best solution to your problem is to set the slidingExpiration attribute to true on the forms authentication element in web.config. This way the user only loses his/her data when they take in excess of 20 minutes to fill in the form.
The problem occurs because asp.net "remembers" values that have been entered in the form by means of a concept called viewstate, which is basically just a hidden form field. When the server does a redirect to the login page, all form fields are lost because a redirect cannot contain POST data.
If you want your users to be able to take longer than 20 minutes to fill in the form, you can consider having some javascript on the page containing the form, which makes an ajax call to the server every x minutes. With sliding expiration, this will reset the session expiration time everytime the ajax call is fired, and thus it will never log your user out as long as they are viewing the page containing the form.
