Timing (forms) authenticated sessions out.

From: Paul (paul_at_hotmail.com.invalid)
Date: 04/21/04

Date: Wed, 21 Apr 2004 01:28:50 +0100


I'm experimenting with forms authentication which I've got working (it's
based on some technet stuff.) One thing however, is confusing me.

A cookie is created based on the authentication ticket and there seem to
be a number of expiry/expiration values. There's one in web.config in
the <forms....timeout="20" /> element. There's also one in the creation
of the authentication ticket. I believe that there's yet another in
web.config to do with sessions and there may even be some in IIS!

What I want is for the user to be timed out after a set time, so that if
they walk away for longer than this time and they (or anyone else for
that matter) request a secured page, then they are re-directed to the
login page. I don't need it to automatically redirect on timeout (I
suspect that might involve adding a refresh command to the page to be
executed clientside)

Also, if they continue using the app, I don't want them to be challenged
to re-authenticate every (say) 20 mins.

Which setting(s) do I have to set, or do I have to check in code on
every page that the cookie is still "in date"?

Thanks to anyone who can help my understanding.



Relevant Pages

  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
  • Authentication Ticket Persistance
    ... Authentication Ticket cookie: ... For some reason my Authentication Ticket Cookie is persisting when ... Any ideas on why this cookie persists and/or how I can stop it? ...
  • RE: Forms Authentication
    ... The DNS entry for my domain was not set corrretly, ... This should have overcome the cookie ... authentication ticketis not correctly set to the domain your ... Microsoft MSDN Online Support Lead ...
  • RE: Forms authentication cookie handling question (C#)
    ... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ...
  • Re: authentication cookie vs session cookie
    ... level of using authentication cookies on the client machines. ... authentication cookie on a manager's machine is stolen and used on a client ... > session variables as it relies on the session cookie that ASP.NET sends to ...