Timing (forms) authenticated sessions out.

[Paul]

Hi,

I'm experimenting with forms authentication which I've got working (it's
based on some technet stuff.) One thing however, is confusing me.

A cookie is created based on the authentication ticket and there seem to
be a number of expiry/expiration values. There's one in web.config in
the <forms....timeout="20" /> element. There's also one in the creation
of the authentication ticket. I believe that there's yet another in
web.config to do with sessions and there may even be some in IIS!

What I want is for the user to be timed out after a set time, so that if
they walk away for longer than this time and they (or anyone else for
that matter) request a secured page, then they are re-directed to the
login page. I don't need it to automatically redirect on timeout (I
suspect that might involve adding a refresh command to the page to be
executed clientside)

Also, if they continue using the app, I don't want them to be challenged
to re-authenticate every (say) 20 mins.

Which setting(s) do I have to set, or do I have to check in code on
every page that the cookie is still "in date"?

Thanks to anyone who can help my understanding.

Paul
--
Paul

[Paul Glavich [MVP - ASP.NET]]

The <forms....timeout="20" /> method is equivalent to setting the value in
code which you have mentioned below. Just that the former method is
declaritive via the web.config and the other is programatic (in code) and
not as easily changed.

The <sessionState timeout= ... /> setting is simply for session values/data.
So, the auth cookie may not have timed out, but the session data stored in
the session variables will be reset/lost after this period.

The IIS session timeout value can effectively be ignored as it only applies
(to the best of my knowledge) to the "classic asp" style session state.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"Paul" <paul@hotmail.com.invalid> wrote in message
news:z$vrNPKCBchAFwWR@eyeore.home...

> Hi,
>
> I'm experimenting with forms authentication which I've got working (it's
> based on some technet stuff.) One thing however, is confusing me.
>
> A cookie is created based on the authentication ticket and there seem to
> be a number of expiry/expiration values. There's one in web.config in
> the <forms....timeout="20" /> element. There's also one in the creation
> of the authentication ticket. I believe that there's yet another in
> web.config to do with sessions and there may even be some in IIS!
>
> What I want is for the user to be timed out after a set time, so that if
> they walk away for longer than this time and they (or anyone else for
> that matter) request a secured page, then they are re-directed to the
> login page. I don't need it to automatically redirect on timeout (I
> suspect that might involve adding a refresh command to the page to be
> executed clientside)
>
> Also, if they continue using the app, I don't want them to be challenged
> to re-authenticate every (say) 20 mins.
>
> Which setting(s) do I have to set, or do I have to check in code on
> every page that the cookie is still "in date"?
>
> Thanks to anyone who can help my understanding.
>
> Paul
> --
> Paul

[Hernan de Lahitte]

If you have slidingExpiration turned on, the cookie lifetime will be
extended for the timeout period as long as the user hit any page under
FormsAuth within the timeframe specified by the timeout setting. So
FormsAuth will keep track of the cookie lifetime for you and if you set an
appropriate timeout value, you should have the desired behavior (if the user
keeps on using the app, there won't be any login page presented).


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul" <paul@hotmail.com.invalid> wrote in message
news:z$vrNPKCBchAFwWR@eyeore.home...

> Hi,
>
> I'm experimenting with forms authentication which I've got working (it's
> based on some technet stuff.) One thing however, is confusing me.
>
> A cookie is created based on the authentication ticket and there seem to
> be a number of expiry/expiration values. There's one in web.config in
> the <forms....timeout="20" /> element. There's also one in the creation
> of the authentication ticket. I believe that there's yet another in
> web.config to do with sessions and there may even be some in IIS!
>
> What I want is for the user to be timed out after a set time, so that if
> they walk away for longer than this time and they (or anyone else for
> that matter) request a secured page, then they are re-directed to the
> login page. I don't need it to automatically redirect on timeout (I
> suspect that might involve adding a refresh command to the page to be
> executed clientside)
>
> Also, if they continue using the app, I don't want them to be challenged
> to re-authenticate every (say) 20 mins.
>
> Which setting(s) do I have to set, or do I have to check in code on
> every page that the cookie is still "in date"?
>
> Thanks to anyone who can help my understanding.
>
> Paul
> --
> Paul