Forms authentication timeout vs sessionState timeout

Question

I have code that i am looking through regarding session time outs of the website  In the web config i came across this code     lt authentication mode  Forms  gt     lt forms loginUrl    Auth SignOn aspx  timeout  40  slidingExpiration  true    gt   lt  authentication gt    lt sessionState timeout  30    gt    Does anyone know if one takes precedent over the other  and how they are different  Thanks

User · Answer

lt sessionState timeout  2    gt         lt authentication mode  Forms  gt             lt forms name  userLogin  path     timeout  60  loginUrl  Login aspx  slidingExpiration  true   gt         lt  authentication gt    This configuration sends me to the login page every two minutes  which seems to controvert the earlier answers

User · Answer

They are different things  The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid  meaning  that after value number of minutes  the cookie will expire and the user will no longer be authenticated   they will be redirected to the login page automatically  The slidingExpiration true value is basically saying that as long as the user makes a request within the timeout value  they will continue to be authenticated  more details here   If you set slidingExpiration false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not   The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory  or whatever backing store is being used  SQL Server  OutOfProc  etc  for a particular session  For example  if you put an object in Session using the value in your example  this data will be removed after 30 minutes  The user may still be authenticated but the data in the Session may no longer be present  The Session Timeout value is always reset after every request

User · Answer

The slidingExpiration true value is basically saying that after every request made  the timer is reset and as long as the user makes a request within the timeout value  he will continue to be authenticated    This is not correct  The authentication cookie timeout will only be reset if half the time of the timeout has passed   See for example https   support microsoft com de-ch kb 910439 en-us or https   itworksonmymachine wordpress com 2008 07 17 forms-authentication-timeout-vs-session-timeout

User · Answer

The difference is that one  Forms timeout  has to do with authenticating the user and the other  Session timeout  has to do with how long cached data is stored on the server  So they are very independent things  so one does not take precedence over the other

User · Answer

For anyone stumbling across this question refer to this documentation from MS - it has really good details regarding FormsAuthentication Timeout setting    This doc explains in detail about the comment bmode is making in the Accepted Answer - about the Persistent Cookie  Session vs Expires   https   docs microsoft com en-us aspnet web-forms overview older-versions-security introduction forms-authentication-configuration-and-advanced-topics-cs specifying-the-tickets-timeout-value

User · Answer

From what I understand they are independent of one another  By keeping the session timeout less than or equal to the authentication timeout  you can make sure any user-specific session variables are not persisted after the authentication has timed out  if that is your concern  which I think is the normal one when asking this question   Of course  you ll have to manually handle the disposal of session variables upon log-out    Here is a decent response that may answer your question or at least point you in the right direction    Forms Authentication Timeout vs Session Timeout

User · Answer

The difference is that one  forms time-out  has to do authenticating the user and the other  session timeout  has to do with how long cached data is stored on the server  So they are very independent things so one doesn t take precedence over the other

[asp.net] Forms authentication timeout vs sessionState timeout

Examples related to asp.net

Examples related to session

Examples related to web-config