Differences in forms auth timeout and session timeout

The session state timeout is set using this web.config element

<sessionState mode="InProc" cookieless="false" timeout="120" />

The forms auth is configured using this web.config element

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
  </authentication>
</system.web>

What is the difference between the timeouts specified in each of these elements? If both are different, how would it work?

Session timeout differences

I am doing some support on a pretty big project. My assignment is to change the session timeout to something longer then what it is now. Right now they are logged off after about 10 min or so. I have

What is different between forms Authentication timeout vs session timeout in Asp.net application?

What is different between session timeout and forms timeout property <authentication mode=Forms> <forms protection=All slidingExpiration=true defaultUrl=Administrator/Default.aspx l

Session timeout

I have a problem in creating Session. Session.Timeout doesn’t work. This is my code Session[UID] = Uid; Session[UserName] = UserName; Session.Timeout = 10; // ?not responding Session.Timeout occur

Handling Forms Authentication timeout in ASP.net

Can I handle forms authentication timeout in Global.asax? Just like the Session_End in global.asax? Please advice. I’m setting timeout in forms auth in my webconfig with these: <forms name=formN

PHP PEAR Auth session timeout

This issue has been driving me insane. On two separate projects (both of which use PEAR as libraries but are written on completely different custom frameworks) I am using PEAR Auth for authentication

what’s differences between “forms timeout”, “membership userIsOnlineTimeWindow” and “sessionState timeout”

What is the difference between these lines of code: <forms timeout=5 /> <membership userIsOnlineTimeWindow=5 /> <sessionState timeout=5 /> Thanks a lot.

Forms Authentication Timeout vs Session Timeout

In my asp.net website i am using asp.net form authentication with following configuration <authentication mode=Forms> <forms loginUrl=~/Pages/Common/Login.aspx defaultUrl=~/Pages/index.a

Sessionstate timeout, Auth timeout, App pool idle, and server session state

Setting my forms authentication timeout and sessionState timeout from my config never seem to have the desired effect. I always have to set the sessionstate timeout on the website on the server and it

membership timeout and session timeout

I need to set memebership timeout to be less than session timeout to avoid using the membership and the login session is expired, this is a problem that i face in my asp.net application that i am usin

Why is Session State timeout overriding Forms Authentication timeout in my MVC3 application?

I have the following in my web.config <sessionState mode=InProc timeout=2 cookieless=UseCookies/> <authentication mode=Forms> <forms loginUrl=~/Account/LogOn timeout=1 cooki

Answers

A session starts every time a new user hits the website, regardless of whether or not they are anonymous. Authentication has very little to do with Session.

Authentication timeout is the amount of time that the authentication cookie is good for on the user’s browser. Once the cookie expires, they must re-authenticate to access protected resources on the site.

So, if Session times out before the Authentication cookie – they are still authenticated, but all their session variables disappear, and may cause errors in your website if you are not disciplined in checking for nulls and other conditions brought about by missing session.

If Authentication times out before the session, then all their session variables will still exist, but they won’t be able to access protected resources until they log back in again.

as expected.

e.g. if your session times out after 20 minutes, your session-variables will be lost. but the user could access the pages which are protected by the authentication.

if the authentication times out, the user could not access the page which it protects, and the state of the session is irrelevant.

Session Timeout value must be smaller than FormsAuthentication timeout time. Because Session can be removed because of a reason and the scenario won’t work.

If Session times out, check FormsAuthentication Ticket. If ticket is valid and not time out, then re-generate session at your Login page (defined in your web.config file as LoginUrl parameter of FormsAuthentication settings).

If FormsAuthentication times out, ASP.NET FormsAuthentication redirects user automatically to Login Page and user has to login again.

Don’t forget that FormsAuthentication automatically redirects user to login page when ticket time outs.

Actually I prefer this structure:

  1. Create a BasePage.cs for login required pages.
  2. at Page_Init in BasePage.cs check Session. If Session Expired; redirect user to Login page.

    if (Session[“UserId”] == null) Response.Redirect(“Login.aspx”, true);

  3. At Page_Load in Login.aspx check Session and FormsAuthentication Ticket times properly.

        //User already have a session; redirect user to homepage. 
        if (SessionHandler.UserId != 0)
            Response.Redirect("HomePage.aspx");
        else 
        {
            //Session is killed; check Ticket is Valid or not
            if (Context.User.Identity != null && Context.User.Identity.IsAuthenticated)
            {
                //Use Value of the FormsAuthentication
                var customDataToCheck = Context.User.Identity.Name;
    
                //Use value to check user is exist really and check db for user's session
                var user = CheckUserData(customDataToCheck);
                if (user != null)
                {
                    //Start Session here 
                    SessionHandler.StartSession(user);
    
                    //Redirect user to page what you want. 
                    Response.Redirect("HomePage.aspx?ref=regenerated_session");
                }                    
            }
        }
    
  4. at Login.aspx use FormsAuthentication to create cookies.

    if (username == “testuser” && password == “testpassword”) { //User data will be written to a cookie, store a user data that you can check user is valid or not (for example Username or UserId).
    System.Web.Security.FormsAuthentication.SetAuthCookie(“testUserData”, keepMeSignedInCheckBox.Checked); Response.Redirect(“HomePage.aspx”); }