views:

210

answers:

2

I apologize in advance for this likely being asked before. I have an asp.net 2.0 web application and am trying to set the session timeout.

My first attempt was to add this to the web.config. < sessionState mode="InProc" timeout="300" >

Users would tell me though that after about 20 minutes of being idle and then trying to do something again on the site they'd be redirected back to the login page.

So now I'm trying timeout="60" in my < forms tag in the web.config.

I also tried Session.Timeout=60 in my global.asax.

Should these work? Do I need something else? Thank you for your time and help.

+2  A: 

From another forum post.

There are two different types of timeout. One is an authentication timeout (which redirects you to a login page) and the other is a session timeout (which drops all session vars). I set the session timeout in global.asax session_start by using session.timeout. IN your webconfig, you can set the authentication timeout by editing this tag:

<authentication mode="Forms"> 
    <forms timeout="1024"/> 
</authentication>
Dustin Laine
This makes sense to me and I see now that I needed to set the forms timeout. Just out of curiousity though. Why didn't just having the sessionState timeout be sufficient and not bring them back to the login until the timeout was up? Like I said, I had it set to 300.
d3020
The session state has nothing to do with authentication other than the fact that sessions are used by authentication.
Dustin Laine
Ok. So then setting the session state timeout had no impact on the timeout then you're saying? Is there any relationship or connection? What I mean by that is say I set the timeout in the forms tag to 60 and the timeout in the session state tag to say 30. What are the effects in a situation like that?
d3020
Your session variables, whatever they may be will expire in 20 minutes.
Dustin Laine
+2  A: 

Session timeout and the authentication timeout are two separate things.

Any user that comes to your site gets a session, regardless of whether or not they've logged in. After they have been inactive for the specified timeout, their session is gone and they get assigned a new session the next time they hit your site.

Forms Authentication uses an authentication ticket in a cookie that also has a timeout. If the authentication timeout is shorter than the session timeout, the authentication ticket will expire and the users will still be logged out - but they'll still have their session data!

You need to look for the authentication timeout in your web.config and adjust it to match the session timeout.

womp
Ok, I see that there are two different type of timeout and that I needed to be setting the one for the forms authentication. What I'm not completely clear on though is where you talk about the session timeout. Like I said, before ever putting in the timeout property in the forms part. I had the sessionState timeout set to 300, and yet it still logged the users out after 20 min or so. I'm still not sure why that would be.
d3020