Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why set forms authentication timeout longer than session timeout?

Tags:

asp.net

session

forms-authentication

I think I understand the difference between ASP.NET's "session" and "forms authentication". Session is basically used for storing info specific to that user's session (maybe the state of a search filter), and the forms authentication is used to remember that they should have access to certain things.

My question is, why is it ever desirable to have the forms authentication timeout be longer than the session timeout? In fact, by default, web.config sets forms authentication's timeout to be much longer.

Here are the 2 scenarios I see:

  1. Session times out before forms auth does. User loses things like search filters and although they can still see secured pages, things may look different and various things may reset. In addition, the developer has to worry about Session becoming null every time they use it.
  2. Forms auth times out before session does. User has to re-enter username and password, but they get back to the page they were on and with the session info intact (unless that has also timed out). Developer only has to worry about Session being null in one place - on login - and can initialize it there if necessary.

Why would scenario 1) ever be more desirable? Am I missing something?

like image 701
Jez Avatar asked Oct 08 '12 11:10

Jez

People also ask

What is timeout in forms authentication?

The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated—they will be redirected to the login page automatically.

What is the maximum session timeout?

Session. Timeout has no hard-coded limit. Most Web administrators set this property to 8 minutes. It should not be set higher than 20 minutes (except in special cases) because every open session is holding onto memory.

How do I increase my session timeout?

Click Servers > Server Type > WebSphere Application Servers > CongnosX_GW2. Click Container Settings > Session management > Set Timeout. Enter the desired timeout value in minutes. Click OK.

How does ASP net handle session timeout?

There are two ways to set a session timeout in ASP.NET. First method: Go to web. config file and add following script where sessionstate timeout is set to 60 seconds.

1 Answers

The thing is Session timeout is a more critical setting than the other. Setting authentication timeout to a very long period will not affect the web application in the means of server resources. But if you set Session timeout to a long period this could cause memory problems under high stakes.

You are right about your statement. As a developer I would prefer 2 over 1. However there is an easy way to handle session expiration. Check out this SO question. One of the answers has a good solution to session expiration.

protected void Session_Start(Object sender, EventArgs e)
{
    if (User.Identity.IsAuthenticated)
    {
        FormsAuthentication.SignOut();                         
        Response.Redirect("~/SessionEnd.aspx");
    }
}

This way you can handle expired Session's in one place.

like image 97
Yiğit Yener Avatar answered Sep 29 '22 16:09

Yiğit Yener
Sign in to Comment

Related questions

ASMX Web Service using wrong encoding on incoming request
Why does web service return data as msg.d
SQL query not working as expected
how to create custom push notification using asp.net webservice?
How to make a custom control validatable?
VB.Net Web Method giving a HTTP401 Not Authorised error
How to increase the max length of url?
What is DefaultWsdlHelpGenerator.aspx?
Static objects in ASP.NET a waste of memory?
JavaScript setTimeout not firing after Window.Open
MVC ValidationSummary ignores model level validation errors when bound using TryUpdateModel
RegEx.Match is much slower in IIS compared to Development Server (Cassini)?
WCF REST: What is it expecting my XML to look like in requests?
How to check cookie in umbraco?
How to use RouteValues using MvcPaging2.0 in MVC3?
Inexact character conversion during translation
How to programmatically set recipient of Elmah email
WCF behind a public reverse proxy which is used for traffic encryption
IIS 7.5 Client certificate authentication
Redirect to login page after session timeout

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!