Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Forms Authentication Timeout vs Session Timeout

Tags:

forms

asp.net

session

timeout

asp.net-3.5

In my asp.net website i am using asp.net form authentication with following configuration

<authentication mode="Forms">     <forms loginUrl="~/Pages/Common/Login.aspx"            defaultUrl="~/Pages/index.aspx"            protection="All"            timeout="30"            name="MyAuthCookie"            path="/"            requireSSL="false"            cookieless="UseDeviceProfile"            enableCrossAppRedirects="false" >     </forms> </authentication>

I have following questions

  1. What should be timeout value for session because i am using sliding expiration inside form authention due to which session will expire before form authentication. How can i protect it?

  2. After formauthentication log out i would like to redirect page at logout.aspx but it is automatically redirect me at loginpage.aspx. How is it possible?

like image 913
Hemant Kothiyal Avatar asked Sep 24 '09 10:09

Hemant Kothiyal

People also ask

What is form authentication timeout?

The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated—they will be redirected to the login page automatically.

Why do forms time out?

Now, why is this necessary.. Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity and similarly session timeout indicates how long to preseve users session in case of any inactivity.

What is session timeout?

Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of the user session to 'invalid' (ie.

What is authentication mode forms?

Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application.

1 Answers

  1. To be on the safe side: TimeOut(Session) <= TimeOut(FormsAuthentication) * 2
  2. If you want to show page other than specified in loginUrl attribute after authentication timeout you need to handle this manually as ASP.NET does not provide a way of doing it.

To achieve #2 you can manually check the cookie and its AuthenticationTicket for expiration and redirect to your custom page if they have expired.
You can do in it in one of the events: AcquireRequestState, AuthenticateRequest.

Sample code in the event can look like:

// Retrieve AuthenticationCookie var cookie = Request.Cookies[FormsAuthentication.FormsCookieName]; if (cookie == null) return; FormsAuthenticationTicket ticket = null; try {     ticket = FormsAuthentication.Decrypt(cookie.Value); } catch (Exception decryptError) {     // Handle properly } if (ticket == null) return; // Not authorised if (ticket.Expiration > DateTime.Now) {     Response.Redirect("SessionExpiredPage.aspx"); // Or do other stuff here }
like image 139
Dmytrii Nagirniak Avatar answered Oct 12 '22 19:10

Dmytrii Nagirniak
Sign in to Comment

Related questions

.NET 4.5 WebSockets vs SignalR
Assigning multiple routes to the same controller or action in ASP MVC 6
GZip Compression On IIS 7.5 is not working
Why are there two incompatible session state types in ASP.NET?
Asp.Net Forms Authentication when using iPhone UIWebView
How do you clear your Visual Studio cache on Windows Vista?
AngularJS Dropdown required validation
Failed to successfully launch or connect to a child MSBuild.exe process. Verify that the MSBuild.exe
Add custom header to all responses in Web API
How can I get date and time formats based on Culture Info?
How to dump ASP.NET Request headers to string
How did I get this NullReferenceException error here right after the constructor?
When to use Request.Cookies over Response.Cookies?
"This operation requires IIS integrated pipeline mode."
Get Absolute URL from Relative path (refactored method)
IIS error, Unable to start debugging on the webserver
The 'System.Web.Security.SqlMembershipProvider' requires a database schema compatible with schema version '1'
IIS7 - The request filtering module is configured to deny a request that exceeds the request content length
Pattern for calling WCF service using async/await
Simple JWT authentication in ASP.NET Core 1.0 Web API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!