tags:

views:

3203

answers:

1
+3  Q: 

Forms Authentication Timeout vs Session Timeout

Hi, In my asp.net website i am using asp.net form authentication with following configuration

<authentication mode="Forms">
      <forms loginUrl="~/Pages/Common/Login.aspx" defaultUrl="~/Pages/index.aspx" protection="All" timeout="30" name="MyAuthCookie" path="/" requireSSL="false" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" >
      </forms>
     </authentication>

I have following questions

  1. What should be timeout value for session because i am using sliding expiration inside form authention due to which session will expire before form authentication. How can i protect it?

  2. After formauthentication log out i would like to redirect page at logout.aspx but it is automatically redirect me at loginpage.aspx. How is it possible?

+2  A: 
  1. To be on the safe side: TimeOut(Session) <= TimeOut(FormsAuthentication) * 2
  2. If you want to show page other than specified in loginUrl attribute after authentication timeout you need to handle this manually as ASP.NET does not provide a way of doing it.

To achieve #2 you can should manually check the cookie and its AuthenticationTicket for expiration and redirect to your custom page if they have expired.
You can do in it in one of the events: AcquireRequestState, AuthenticateRequest.

Sample code in the event can look like:

var cookie = Retrieve AuthenticationCookie();
if (cookie == null) return;
FormsAuthenticationTicket ticket = null;
try {
    ticket = FormsAuthentication.Decrypt(cookie.Value);
} catch (Exceptoin decryptError) {
    // Handle properly
}
if (ticket == null) return; // Not authorised
if (ticket.Expiration > DateTime.Now) {
    Response.Redirect("SessionExpiredPage.aspx"); // Or do other stuff here
}
Dmytrii Nagirniak  2009-09-24 10:08:50
Thanks Dmitriy,My second question: As its written above inside <Form ...> that default page is "index.aspx" and login is "login.aspx". After login at my dashboard page when i remain ideal for 30 minute (timeout) and after that i click on any link i will automatically redirect to login page with following URL http://localhost:/virtualdir/Pages/Login.aspx?ReturnUrl=%2fvirtualdir%2fPages%2fDashBoard.aspxBut here i would like to redirect page at logout page where i can say some logout information
Hemant Kothiyal  2009-09-24 10:28:28
Updeted the answer.
Dmytrii Nagirniak  2009-09-24 10:53:32
Can you show me example because in my case i take scenario where i set formauthentication timeout= 2 minute while session timeout= 6 minute and after 3 minute when i click on link It doesn't debug anywhere even not at "AcquireRequestState"Please help?
Hemant Kothiyal  2009-09-24 13:07:25
Upps. Sorry, the timeout for the FormsAuthentication should be twice longer than Session's one. Corrected that.AcquireRequestState and AuthenticateRequest should always be triggered (no matter what). Make sure you correctly subscribed to these events on the HttpApplication class.
Dmytrii Nagirniak  2009-09-24 13:32:51
Thanks,Can you clear another doubt. I have confusion that if i set sliding expiration=true in "Formauthentication" then automatically sliding expiration works for session timeout also or not?Does sliding expiration works for session time out?
Hemant Kothiyal  2009-09-24 14:05:48
FormsAuthentication expiration (absolute or sliding) is not related to Session expiration in any way. The Session has no absolute expiration and always expires "sliding" way.
Dmytrii Nagirniak  2009-09-24 22:55:36
Are you sure that you want to have Session.Timeout < FormsAuthentication.Timeout * 2? This means that the Session can be abandoned while the user is still logged in. Anywhere that references Session variables will start having NullReferenceExceptions.
Dominic Zukiewicz  2010-10-20 15:31:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps