Timing (forms) authenticated sessions out.

P

Paul

Hi,

I'm experimenting with forms authentication which I've got working (it's
based on some technet stuff.) One thing however, is confusing me.

A cookie is created based on the authentication ticket and there seem to
be a number of expiry/expiration values. There's one in web.config in
the <forms....timeout="20" /> element. There's also one in the creation
of the authentication ticket. I believe that there's yet another in
web.config to do with sessions and there may even be some in IIS!

What I want is for the user to be timed out after a set time, so that if
they walk away for longer than this time and they (or anyone else for
that matter) request a secured page, then they are re-directed to the
login page. I don't need it to automatically redirect on timeout (I
suspect that might involve adding a refresh command to the page to be
executed clientside)

Also, if they continue using the app, I don't want them to be challenged
to re-authenticate every (say) 20 mins.

Which setting(s) do I have to set, or do I have to check in code on
every page that the cookie is still "in date"?

Thanks to anyone who can help my understanding.

Paul
 
P

Paul Glavich [MVP - ASP.NET]

The <forms....timeout="20" /> method is equivalent to setting the value in
code which you have mentioned below. Just that the former method is
declaritive via the web.config and the other is programatic (in code) and
not as easily changed.

The <sessionState timeout= ... /> setting is simply for session values/data.
So, the auth cookie may not have timed out, but the session data stored in
the session variables will be reset/lost after this period.

The IIS session timeout value can effectively be ignored as it only applies
(to the best of my knowledge) to the "classic asp" style session state.
 
H

Hernan de Lahitte

If you have slidingExpiration turned on, the cookie lifetime will be
extended for the timeout period as long as the user hit any page under
FormsAuth within the timeframe specified by the timeout setting. So
FormsAuth will keep track of the cookie lifetime for you and if you set an
appropriate timeout value, you should have the desired behavior (if the user
keeps on using the app, there won't be any login page presented).


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top