Forms Authentication and/or Session timeout

Question

4.00/5 (2 votes)

See more:

I've spent a lot more time researching this issue that I have with my ASP.NET "session" timing out. The reason I'm using "session" in double quotes is that I'm not sure if the issue is related to my Session timing out or my Forms Authentication.

The problem that I have is that I've set both the forms authentication cookie and the session state to timeout after one day (1,440 minutes), but it seems to be timing out after 20 minutes, which I understand to be the default.

In the web.config, I have

XML

<sessionstate mode="InProc" cookieless="false" timeout="1440" />

and

XML

<authentication mode="Forms">
    <forms loginUrl="~/Account/Login.aspx" timeout="1440" protection="All" defaultUrl="Default.aspx"/>
</authentication>

In the code behind of my login page, this is how I set my authentication cookie:

<br />
FormsAuthentication.SetAuthCookie("someValue", true);<br />

For testing purposes, I want my session to stay active for one day. When I inspect the authentication cookie on the client, the cookie information shows an expiration date that is exactly a day out from right now. I suspect that the Session is causing the issue, but why is my timeout value in the web.config being ignored?

Posted 28-Feb-11 9:35am

jasonHall

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Monjurul Habib · Accepted Answer · 2011-02-28T09:49:00

Solution 1

The following links may help you out:
Role-based Security with Forms Authentication[^]
http://forums.asp.net/t/1143744.aspx/1?Managing+Session+TimeOut+using+Web+Config[^]
http://www.asp.net/security/tutorials/an-overview-of-forms-authentication-vb[^]

If i misunderstand your question, please feel free to correct me.I hope the above information will be helpful. If you have more concerns, please let me know.

If this would be really helpful to you then don't forgot to Vote and Make Answer as Accepted.

Posted 28-Feb-11 9:49am

Monjurul Habib

Updated 28-Feb-11 9:50am

v2

Comments

jasonHall 28-Feb-11 17:16pm

As kkmummadi wrote in the thread from the 2nd link that Habib shared, you must also verify that IIS is configured correctly.

kkmummadi wrote:
If you are using ASP.NET 2.0, use have to check in the IIS.
Open the IIS, click on the Application Pools, Select the Application pool for your application.
Right Click on that, Select Properties.
In the Performance tab, Set the idle timeout as your desired minutes for "shutdown worker processes after being idle for ..... minutes".
Apart from this you have to set the timeout in web.config as said by the other friends

If you're using ASP.NET 4.0 and deploying to a machine using IIS7, go to the Application Pools, right-click your app pool and go to Advanced Settings, under Process Module set the Idle Timeout (minutes) to the modified value (20 minutes by default).

I also noticed that if you click on your website in IIS7, double-click on the Session State button, scroll down to cookies settings, you'll find a Time-out (in minutes): textbox with a value that is also defaulted to 20 minutes. I changed the Application Pools setting on my webserver and got the desired result. Thanks, Habib!

Monjurul Habib 1-Mar-11 2:09am

thank you too JasonH.