4

I'm using forms authentication in asp.net.i have set my Authenticate cookie expiration to 60 mins,Session time out to 60 mins in web.config, time out in web.config to 60 mins and also in iis idle time out to 60 mins

    <authentication mode="Forms">
        <forms loginUrl="~/Account/Login.aspx" timeout="60" defaultUrl="~/Landing.aspx" slidingExpiration="true"/>
    </authentication>
    <system.web>
        <sessionState timeout="60" mode="InProc"/>
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
     2,                             // Version number
     txtUserName.Text.Trim(),      // Username
     DateTime.Now,                  // Issue date
     DateTime.Now.AddMinutes(60), // Expiration date
     false,                         // Persistent?
     userData                 // User data
     );

since i'm using forms authentication if the user is idle for 60 mins user should be redirected to login page after 60 mins.but i need to know what will happen if user is not idle for 60 mins.does the authenticate cookie will expire? despite the fact that user is still authenticated?

EDIT

i missed one more thing i have set Application Pool Identity in IIS to Network Service

Improve this question

2 Answers 2

Reset to default
2

Yes the user will still expire, and he/she will not be authorized to use resources available on the server. You are using Forms Authentication Cookie, which is a simple container for the FormsAuthentication Ticket.

Because your ticket is non-persistent, this will cause your "cookie" to expire which will redirect the user to the LOGIN PAGE. Note this handles "authentication" only, and not to be confused with Session.

You may have Session "expire", but the user is still authenticated, and that could be a problem.

So to answer your question directly, the "User authentication" will expire, and he/she will be redirected to Login page, to which a new cookie will be created on Login, that will create another "Session" object. Overtime the previous one will expire.

Advice: Make Forms Timeout in "Web.config" smaller than Session. Don't build a dependency on Session for any Auth/Security related; the two are different containers and should be treated as such.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Better you read the links below. It'll be faster for you. take a look at slidingExpiration

The expiration is refreshed on each request before half time of expiration.

Understanding the Forms Authentication Ticket and Cookie and forms Element

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.