Authentication question

J

Joe Fallon

I use Forms authentication and State Server and Cookies are enabled.

Is this correct?

If the session is set to timeout in 20 minutes that means that if there is
no activity for 20 minutes then the session will expire and the user will
have to log in again. But if they request pages then the 20 minute period
re-starts after
each page is requested.

If the user is active for 20 minutes and then is idle for the next 15 the
session has not timed out and they should not have to log in again.

But does the authentication ticket in the cookie expire in 30 minutes?

If so, does THAT force a log in again?

What is the "best" way to coordinate these 2 to minimize the amount of
re-logging in
and yet maintaining some basic level of security?

Thanks!
 
S

Scott Allen

Hi Joe:

The session timeout and forms authentication cookie timeout are
independent, as you pointed out. The user could sit idle for 25
minutes and have the session timeout but still have a good cookie and
be authenticated.

You could synchronize the two to use the same timeout value, but I
would not assume that a user with a session is authenticated, or that
an authenticated user has a session. For example you can imagine the
user logging in then the application restarting (perhaps because
web.config was touched). The user would still have a good
authentication cookie but all of the inproc session state is gone.

Helpful?
 
J

Joe Fallon

Yes.
I also found the settings (RTM) and chose to set a sliding timeout for the
cookie.
I just didn't know it existed. So I wasn't aware of why some testers
complained about having to login when I knew their session had not expired.

Much better now.
Thanks!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top