Authentication question

Discussion in 'ASP .Net' started by Joe Fallon, Feb 14, 2005.

  1. Joe Fallon

    Joe Fallon Guest

    I use Forms authentication and State Server and Cookies are enabled.

    Is this correct?

    If the session is set to timeout in 20 minutes that means that if there is
    no activity for 20 minutes then the session will expire and the user will
    have to log in again. But if they request pages then the 20 minute period
    re-starts after
    each page is requested.

    If the user is active for 20 minutes and then is idle for the next 15 the
    session has not timed out and they should not have to log in again.

    But does the authentication ticket in the cookie expire in 30 minutes?

    If so, does THAT force a log in again?

    What is the "best" way to coordinate these 2 to minimize the amount of
    re-logging in
    and yet maintaining some basic level of security?

    Thanks!

    --
    Joe Fallon
     
    Joe Fallon, Feb 14, 2005
    #1
    1. Advertising

  2. Joe Fallon

    Scott Allen Guest

    Hi Joe:

    The session timeout and forms authentication cookie timeout are
    independent, as you pointed out. The user could sit idle for 25
    minutes and have the session timeout but still have a good cookie and
    be authenticated.

    You could synchronize the two to use the same timeout value, but I
    would not assume that a user with a session is authenticated, or that
    an authenticated user has a session. For example you can imagine the
    user logging in then the application restarting (perhaps because
    web.config was touched). The user would still have a good
    authentication cookie but all of the inproc session state is gone.

    Helpful?

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/


    On Mon, 14 Feb 2005 09:59:46 -0500, "Joe Fallon"
    <> wrote:

    >I use Forms authentication and State Server and Cookies are enabled.
    >
    >Is this correct?
    >
    >If the session is set to timeout in 20 minutes that means that if there is
    >no activity for 20 minutes then the session will expire and the user will
    >have to log in again. But if they request pages then the 20 minute period
    >re-starts after
    >each page is requested.
    >
    >If the user is active for 20 minutes and then is idle for the next 15 the
    >session has not timed out and they should not have to log in again.
    >
    >But does the authentication ticket in the cookie expire in 30 minutes?
    >
    >If so, does THAT force a log in again?
    >
    >What is the "best" way to coordinate these 2 to minimize the amount of
    >re-logging in
    >and yet maintaining some basic level of security?
    >
    >Thanks!
     
    Scott Allen, Feb 14, 2005
    #2
    1. Advertising

  3. Joe Fallon

    Joe Fallon Guest

    Yes.
    I also found the settings (RTM) and chose to set a sliding timeout for the
    cookie.
    I just didn't know it existed. So I wasn't aware of why some testers
    complained about having to login when I knew their session had not expired.

    Much better now.
    Thanks!
    --
    Joe Fallon




    "Scott Allen" <> wrote in message
    news:...
    > Hi Joe:
    >
    > The session timeout and forms authentication cookie timeout are
    > independent, as you pointed out. The user could sit idle for 25
    > minutes and have the session timeout but still have a good cookie and
    > be authenticated.
    >
    > You could synchronize the two to use the same timeout value, but I
    > would not assume that a user with a session is authenticated, or that
    > an authenticated user has a session. For example you can imagine the
    > user logging in then the application restarting (perhaps because
    > web.config was touched). The user would still have a good
    > authentication cookie but all of the inproc session state is gone.
    >
    > Helpful?
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    >
    > On Mon, 14 Feb 2005 09:59:46 -0500, "Joe Fallon"
    > <> wrote:
    >
    >>I use Forms authentication and State Server and Cookies are enabled.
    >>
    >>Is this correct?
    >>
    >>If the session is set to timeout in 20 minutes that means that if there is
    >>no activity for 20 minutes then the session will expire and the user will
    >>have to log in again. But if they request pages then the 20 minute period
    >>re-starts after
    >>each page is requested.
    >>
    >>If the user is active for 20 minutes and then is idle for the next 15 the
    >>session has not timed out and they should not have to log in again.
    >>
    >>But does the authentication ticket in the cookie expire in 30 minutes?
    >>
    >>If so, does THAT force a log in again?
    >>
    >>What is the "best" way to coordinate these 2 to minimize the amount of
    >>re-logging in
    >>and yet maintaining some basic level of security?
    >>
    >>Thanks!

    >
     
    Joe Fallon, Feb 15, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    553
    Natty Gur
    Oct 21, 2003
  2. raj mandadi
    Replies:
    0
    Views:
    438
    raj mandadi
    Dec 22, 2003
  3. Brett Porter
    Replies:
    2
    Views:
    781
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  4. Mark
    Replies:
    0
    Views:
    684
  5. Eric
    Replies:
    2
    Views:
    1,530
    Tommy
    Feb 13, 2004
Loading...

Share This Page