Why is Session State timeout overriding Forms Authentication timeout in my MVC3 application?

Question

I have the following in my web.config

<sessionState mode="InProc"
              timeout="2"
              cookieless="UseCookies"/>
<authentication mode="Forms">
  <forms
    loginUrl="~/Account/LogOn"
    timeout="1"
    cookieless="UseCookies" />
</authentication>

As far as I understand in MVC3 (or in Asp.Net) sessionState controls when the user's session on the server times out and the forms authentication timeout controls when the user will be forced to log in to the website again.

This doesn't seem to be exactly true: If I remove the sessionState section from my web.config the timeout in the authentication section is completely ignored - it seems to just timeout after some default length of time.

In fact the session state timeout seems to be required to control when authentication times out. This doesn't make any sense at all. Can anyone tell me what I am missing here?

This is related to this question that I asked, but I didn't get to the bottom of why this is the case.

Answer 1

Session timeout is independent of forms authentication timeout.

You didn't elaborate on how you created your ticket, so here are the most common quirks which may affect your observations:

1. If you instantiated the auth ticket yourself, then the timeout setting in the config file has no effect.
2. Sliding timeout is a little funky, the ticket will not be extended unless you visit again in the last-half of the window.

You might want to check out this article for an overview:

http://support.microsoft.com/kb/910443