Timing (forms) authenticated sessions out.

Discussion in 'ASP .Net Security' started by Paul, Apr 21, 2004.

  1. Paul

    Paul Guest

    Hi,

    I'm experimenting with forms authentication which I've got working (it's
    based on some technet stuff.) One thing however, is confusing me.

    A cookie is created based on the authentication ticket and there seem to
    be a number of expiry/expiration values. There's one in web.config in
    the <forms....timeout="20" /> element. There's also one in the creation
    of the authentication ticket. I believe that there's yet another in
    web.config to do with sessions and there may even be some in IIS!

    What I want is for the user to be timed out after a set time, so that if
    they walk away for longer than this time and they (or anyone else for
    that matter) request a secured page, then they are re-directed to the
    login page. I don't need it to automatically redirect on timeout (I
    suspect that might involve adding a refresh command to the page to be
    executed clientside)

    Also, if they continue using the app, I don't want them to be challenged
    to re-authenticate every (say) 20 mins.

    Which setting(s) do I have to set, or do I have to check in code on
    every page that the cookie is still "in date"?

    Thanks to anyone who can help my understanding.

    Paul
    --
    Paul
     
    Paul, Apr 21, 2004
    #1
    1. Advertising

  2. The <forms....timeout="20" /> method is equivalent to setting the value in
    code which you have mentioned below. Just that the former method is
    declaritive via the web.config and the other is programatic (in code) and
    not as easily changed.

    The <sessionState timeout= ... /> setting is simply for session values/data.
    So, the auth cookie may not have timed out, but the session data stored in
    the session variables will be reset/lost after this period.

    The IIS session timeout value can effectively be ignored as it only applies
    (to the best of my knowledge) to the "classic asp" style session state.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "Paul" <> wrote in message
    news:z$...
    > Hi,
    >
    > I'm experimenting with forms authentication which I've got working (it's
    > based on some technet stuff.) One thing however, is confusing me.
    >
    > A cookie is created based on the authentication ticket and there seem to
    > be a number of expiry/expiration values. There's one in web.config in
    > the <forms....timeout="20" /> element. There's also one in the creation
    > of the authentication ticket. I believe that there's yet another in
    > web.config to do with sessions and there may even be some in IIS!
    >
    > What I want is for the user to be timed out after a set time, so that if
    > they walk away for longer than this time and they (or anyone else for
    > that matter) request a secured page, then they are re-directed to the
    > login page. I don't need it to automatically redirect on timeout (I
    > suspect that might involve adding a refresh command to the page to be
    > executed clientside)
    >
    > Also, if they continue using the app, I don't want them to be challenged
    > to re-authenticate every (say) 20 mins.
    >
    > Which setting(s) do I have to set, or do I have to check in code on
    > every page that the cookie is still "in date"?
    >
    > Thanks to anyone who can help my understanding.
    >
    > Paul
    > --
    > Paul
     
    Paul Glavich [MVP - ASP.NET], Apr 26, 2004
    #2
    1. Advertising

  3. If you have slidingExpiration turned on, the cookie lifetime will be
    extended for the timeout period as long as the user hit any page under
    FormsAuth within the timeframe specified by the timeout setting. So
    FormsAuth will keep track of the cookie lifetime for you and if you set an
    appropriate timeout value, you should have the desired behavior (if the user
    keeps on using the app, there won't be any login page presented).


    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://weblogs.asp.net/hernandl


    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Paul" <> wrote in message
    news:z$...
    > Hi,
    >
    > I'm experimenting with forms authentication which I've got working (it's
    > based on some technet stuff.) One thing however, is confusing me.
    >
    > A cookie is created based on the authentication ticket and there seem to
    > be a number of expiry/expiration values. There's one in web.config in
    > the <forms....timeout="20" /> element. There's also one in the creation
    > of the authentication ticket. I believe that there's yet another in
    > web.config to do with sessions and there may even be some in IIS!
    >
    > What I want is for the user to be timed out after a set time, so that if
    > they walk away for longer than this time and they (or anyone else for
    > that matter) request a secured page, then they are re-directed to the
    > login page. I don't need it to automatically redirect on timeout (I
    > suspect that might involve adding a refresh command to the page to be
    > executed clientside)
    >
    > Also, if they continue using the app, I don't want them to be challenged
    > to re-authenticate every (say) 20 mins.
    >
    > Which setting(s) do I have to set, or do I have to check in code on
    > every page that the cookie is still "in date"?
    >
    > Thanks to anyone who can help my understanding.
    >
    > Paul
    > --
    > Paul
     
    Hernan de Lahitte, Apr 26, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff 'Jones' Putz

    Sessions of non-authenticated users expire en masse

    Jeff 'Jones' Putz, Nov 14, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    371
    Jeff 'Jones' Putz
    Nov 14, 2003
  2. AVance
    Replies:
    1
    Views:
    3,129
    AVance
    Jul 28, 2004
  3. Alex
    Replies:
    7
    Views:
    668
    Juan T. Llibre
    Aug 24, 2007
  4. Abhijit
    Replies:
    0
    Views:
    157
    Abhijit
    Apr 12, 2004
  5. Nebulus

    ASP Sessions - site is timing out early!

    Nebulus, May 7, 2007, in forum: ASP General
    Replies:
    4
    Views:
    266
    Nebulus
    May 8, 2007
Loading...

Share This Page