Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forms authentication timeout vs sessionState timeout

I have code that i am looking through regarding session time outs of the website. In the web.config i came across this code.

 <authentication mode="Forms">
  <forms loginUrl="~/Auth/SignOn.aspx" timeout="40" slidingExpiration="true" />
</authentication>

<sessionState timeout="30" />

Does anyone know if one takes precedent over the other, and how they are different. Thanks.

like image 660
Lucky Luke2 Avatar asked Oct 16 '22 11:10

Lucky Luke2


People also ask

What is authentication mode forms?

Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application.

What is the default session timeout in C#?

The default is 10 minutes.

What is the maximum session timeout in asp net?

The Timeout property cannot be set to a value greater than 525,600 minutes (1 year). The default value is 20 minutes.


2 Answers

They are different things. The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated—they will be redirected to the login page automatically. The slidingExpiration=true value is basically saying that as long as the user makes a request within the timeout value, they will continue to be authenticated (more details here). If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout value sets the amount of time in minutes a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session. For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes. The user may still be authenticated but the data in the Session may no longer be present. The Session Timeout value is always reset after every request as suggested here and here (might require cookies; vs cookieless)

like image 120
Icarus Avatar answered Oct 21 '22 01:10

Icarus


The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, he will continue to be authenticated.

This is not correct. The authentication cookie timeout will only be reset if half the time of the timeout has passed.

See for example https://support.microsoft.com/de-ch/kb/910439/en-us or https://itworksonmymachine.wordpress.com/2008/07/17/forms-authentication-timeout-vs-session-timeout/

like image 29
Silvan Hofer Avatar answered Oct 21 '22 00:10

Silvan Hofer