There's a detailed article on MSDN that explains how Forms authentication works and what are the available configuration options.
Basically Forms authentication uses cookies (unless you specifically tell it not to). So you could set the expiration date for your Forms authentication cookies to 24 hours. But there's a catch. You probably need to roll your own Membership code, since by default, the timeout
attribute of the forms
element is also used to set the lifetime of the persistent cookie. And you don't want that. You'd want to set the expiration for your cookie to 24 hours.
The way it works is that after the user logs in, the Forms authentication cookie is created, and afterwards it's included along with each request until it expires.
From the linked article:
The Membership Provider has code similar to this when authenticating a user:
if (Membership.ValidateUser(userName.Text, password.Text))
{
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage(userName.Text, false);
}
else
{
FormsAuthentication.SetAuthCookie(userName.Text, false);
}
}
else
{
Response.Write("Invalid UserID and Password");
}
You can create a Forms Authentication ticket using the FormsAuthenticationTicket class:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
"cookieName",
DateTime.Now,
DateTime.Now.AddHours(24), // value of time out property
false,
String.Empty,
FormsAuthentication.FormsCookiePath);
Forms authentication uses the Encrypt method for encrypting and signing the forms authentication ticket:
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
Create the cookie:
HttpCookie authCookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
encryptedTicket);
Add the cookie to the cookie collection:
Response.Cookies.Add(authCookie);
And that should be about it.
You probably need to roll your own cookie, because by default, the timeout
property that you specified for your forms
is the one that's going to be used for the cookie timeout.
So in your example:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="15" slidingExpiration="true"/>
</authentication>
The cookie's timeout will be 15 minutes also.
Probably the easier approach in your case would be to handle your enforced 24-hour timeout using a session variable. Since you'd only hit that if the user was actually active during that period (otherwise it would have timed-out from the cookie). So you could just terminate a Session if had been active for over 24 hours.