SyntaxFix

[asp.net] Forms authentication timeout vs sessionState timeout

I have code that i am looking through regarding session time outs of the website. In the web.config i came across this code.

 <authentication mode="Forms">
  <forms loginUrl="~/Auth/SignOn.aspx" timeout="40" slidingExpiration="true" />
</authentication>

<sessionState timeout="30" />

Does anyone know if one takes precedent over the other, and how they are different. Thanks.

This question is related to asp.net session web-config

The answer is

From what I understand they are independent of one another. By keeping the session timeout less than or equal to the authentication timeout, you can make sure any user-specific session variables are not persisted after the authentication has timed out (if that is your concern, which I think is the normal one when asking this question). Of course, you'll have to manually handle the disposal of session variables upon log-out.

Here is a decent response that may answer your question or at least point you in the right direction:

      <sessionState timeout="2" />
      <authentication mode="Forms">
          <forms name="userLogin" path="/" timeout="60" loginUrl="Login.aspx" slidingExpiration="true"/>
      </authentication>

This configuration sends me to the login page every two minutes, which seems to controvert the earlier answers

The difference is that one (forms time-out) has to do authenticating the user and the other( session timeout) has to do with how long cached data is stored on the server. So they are very independent things so one doesn't take precedence over the other.

The difference is that one (Forms timeout) has to do with authenticating the user and the other (Session timeout) has to do with how long cached data is stored on the server. So they are very independent things, so one does not take precedence over the other.

The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, he will continue to be authenticated.

This is not correct. The authentication cookie timeout will only be reset if half the time of the timeout has passed.

See for example https://support.microsoft.com/de-ch/kb/910439/en-us or https://itworksonmymachine.wordpress.com/2008/07/17/forms-authentication-timeout-vs-session-timeout/

For anyone stumbling across this question refer to this documentation from MS - it has really good details regarding FormsAuthentication Timeout setting.

This doc explains in detail about the comment bmode is making in the Accepted Answer - about the Persistent Cookie (Session vs Expires)

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/forms-authentication-configuration-and-advanced-topics-cs#specifying-the-tickets-timeout-value

Source: Stackoverflow.com

Examples related to asp.net

RegisterStartupScript from code behind not working when Update Panel is used You must add a reference to assembly 'netstandard, Version=2.0.0.0 No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization How to use log4net in Asp.net core 2.0 Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state How to create roles in ASP.NET Core and assign them to users? How to handle Uncaught (in promise) DOMException: The play() request was interrupted by a call to pause() ASP.NET Core Web API Authentication Could not load file or assembly 'CrystalDecisions.ReportAppServer.CommLayer, Version=13.0.2000.0 WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for jquery

Examples related to session

What is the best way to manage a user's session in React? Spring Boot Java Config Set Session Timeout PHP Unset Session Variable How to kill all active and inactive oracle sessions for user Difference between request.getSession() and request.getSession(true) PHP - Session destroy after closing browser Get Current Session Value in JavaScript? Invalidating JSON Web Tokens How to fix org.hibernate.LazyInitializationException - could not initialize proxy - no Session How can I get session id in php and show it?

Examples related to web-config

No assembly found containing an OwinStartupAttribute Error IIS Config Error - This configuration section cannot be used at this path How to enable GZIP compression in IIS 7.5 how to set start page in webconfig file in asp.net c# Authentication issue when debugging in VS2013 - iis express Forms authentication timeout vs sessionState timeout Specified argument was out of the range of valid values. Parameter name: site Access-control-allow-origin with multiple domains "An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page..." ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

Tags

Actionscript Typedarray Objectinputstream Micr Deobfuscation Sector Orientation Id-generation Bll Amazon-appstore Interpreted-language Datagridtextcolumn Defragmentation Qvariant Jquery-xml Messagecontract Shutdown Nsattributedstring Help-authoring Msde Self-updating Java.util.concurrent Vhosts Directory-server Camera Mirror Locking Fading Cue Merging-data Slidedown Shadow-copy Nested-generics Jquery-scrollable Less Coverity-prevent Ndbunit Shebang Dpi Svn-organization Selector Mixed-mode Innovation Wildcard Bittorrent Fileparse Msas Nonlinear-optimization Jcaps Loadmodule Nsprogressindicator Multi-window Nsalert Rsa Retain Cci Itunes-sdk Amazon-product-api Video-library Viewdidload Pisa Numberformatter Yaws Pharo Apng Self-documenting Height Pushpin Stack-unwinding Latency Drawbitmap Extend Nanoc Tscrollbox Maskededitextender Remedy Min-heap Intersection Firefox2 Computer-algebra-systems Implicit Ebcdic Static-compilation Makefile Application-loader Uiswitch Captions Mercurial Visualhg Helicontech Mysql-error-1051 Base-conversion Wise Recursion Tix Ropemacs Weakly-typed False-positive Playing-cards Refix