R
rmgalante
I have a web farm with 3 machines running windows 2003 server. I am
running an asp.net 2.0 application that uses forms authentication. My
authentication cookie uses sliding expiration and has a timeout of 15
minutes. My session has a timeout of 20 minutes. Session state is
maintained in a Sql Server 2005 database.
My site works with anonymous and authenticated users. Anonymous users
can search for information and purchase products. Authenticated users
are administrators that configure the database with an administrative
menu of scripts.
My web.config has the following configuration in web.config.
</authentication>
I thought that as long as the authenticated user is viewing pages, the
sliding expiration will keep resetting the authentication cookie's
timeout. The admin section uses meta tags in the header of each page
that refresh at 19.5 minutes intervals (0.5 minutes before the session
timeout). This way I can log the user out before the one session
variable I use for UserId gets deleted.
But I am seeing the anonymous users getting redirected to the login
page. These pages do not have the refresh meta tag. And the users are
not logged in. Why are they getting redirected to the Login page.
Is it possible that an administrative user who logs out still has a
cookie in their browser? And if that administrative user surfs the
site as an anonymous user afterwards, the cookie is still detected,
and it expires in 15 minutes?
I need to get to the bottom of this issue. I can't have anonymous
users redirected to a login page.
running an asp.net 2.0 application that uses forms authentication. My
authentication cookie uses sliding expiration and has a timeout of 15
minutes. My session has a timeout of 20 minutes. Session state is
maintained in a Sql Server 2005 database.
My site works with anonymous and authenticated users. Anonymous users
can search for information and purchase products. Authenticated users
are administrators that configure the database with an administrative
menu of scripts.
My web.config has the following configuration in web.config.
</authentication>
I thought that as long as the authenticated user is viewing pages, the
sliding expiration will keep resetting the authentication cookie's
timeout. The admin section uses meta tags in the header of each page
that refresh at 19.5 minutes intervals (0.5 minutes before the session
timeout). This way I can log the user out before the one session
variable I use for UserId gets deleted.
But I am seeing the anonymous users getting redirected to the login
page. These pages do not have the refresh meta tag. And the users are
not logged in. Why are they getting redirected to the Login page.
Is it possible that an administrative user who logs out still has a
cookie in their browser? And if that administrative user surfs the
site as an anonymous user afterwards, the cookie is still detected,
and it expires in 15 minutes?
I need to get to the bottom of this issue. I can't have anonymous
users redirected to a login page.