1

The ASP.NET application kicks out the users after 20 min even though it has the following in the Web.config and the users are posting the forms:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>

Reading this I am getting an impression that I need to add sliding expiration AND sessionState set to at least 2880 in order to achieve at least 48 min timeout that would be re-started every time the user does a POST.

Is that correct?

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true"/>
</authentication>

<sessionState mode="InProc" cookieless="false" timeout="3000" />
Community
  • 1
  • 1
ajeh
  • 2,652
  • 2
  • 34
  • 65
  • 1
    I suggested this as an edit, but since it does appear you were referring to 48 minutes instead of 48 hours then it is worth noting that the timeout values are in minutes so 2880 is actually 48 hours. – Matthew Jan 12 '16 at 16:48
  • Yes, the intent of the site developer was to use 40~something min for a timeout and they probably got the number wrong. I just need to overcome the default 20 min timeout. – ajeh Jan 12 '16 at 16:50

1 Answers1

1

Authentication and session state are different entities. The timeout attribute under the authentication tag sets the time before the authentication cookie expires (in minutes). You can actually view the cookie itself in the Chrome browser within Developer Tools -> Resources -> Cookies (.ASPXAUTH is the default name). By setting sliding expiration equal to true, you will renew the cookie each time an authenticated user submits a request.

Session state is controlling the amount of time before the session expires. Once again, submitting a request will reset the timer. In many scenarios, web applications will require both the authentication cookie to be valid and the session to be current in order for the user to remain logged in. It's also often a bad idea to set the session timeout to a very long value (more than a couple hours) for security reasons. If you did want to maintain the current session for a long period of time regardless of activity, however, you would set the timeout value as you have done.

In your case, it sounds like you do need to set both timeout values to the desired amount of time if you want the user to remain logged in even despite inactivity.

Matthew
  • 777
  • 1
  • 9
  • 23
  • It's a good point that the setting is in minutes! Just to confirm: are you saying that default session timeout is the one that kicks out the users? So if I set the session timeout to 50 min, would I even need to worry about adding sliding expiration? – ajeh Jan 12 '16 at 16:48
  • If you set the session timeout to a value of 50 minutes (while keeping the authentication timeout at 48 hours), then your users will be able to remain inactive for 50 minutes before they are automatically logged off. I would not worry about setting sliding expiration to true. By keeping it false, you are saying the regardless of activity, you want the user to be forced to re-authenticate every 2 days. This is usually desirable just for security reasons. Does that answer your question? – Matthew Jan 12 '16 at 16:51
  • Both the authentication cookie and the session must be current in order for the user to remain active, but the authentication cookie is not the one causing your problem. – Matthew Jan 12 '16 at 16:51