Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Timing (forms) authenticated sessions out.

Reply
Thread Tools

Timing (forms) authenticated sessions out.

 
 
Paul
Guest
Posts: n/a
 
      04-21-2004
Hi,

I'm experimenting with forms authentication which I've got working (it's
based on some technet stuff.) One thing however, is confusing me.

A cookie is created based on the authentication ticket and there seem to
be a number of expiry/expiration values. There's one in web.config in
the <forms....timeout="20" /> element. There's also one in the creation
of the authentication ticket. I believe that there's yet another in
web.config to do with sessions and there may even be some in IIS!

What I want is for the user to be timed out after a set time, so that if
they walk away for longer than this time and they (or anyone else for
that matter) request a secured page, then they are re-directed to the
login page. I don't need it to automatically redirect on timeout (I
suspect that might involve adding a refresh command to the page to be
executed clientside)

Also, if they continue using the app, I don't want them to be challenged
to re-authenticate every (say) 20 mins.

Which setting(s) do I have to set, or do I have to check in code on
every page that the cookie is still "in date"?

Thanks to anyone who can help my understanding.

Paul
--
Paul
 
Reply With Quote
 
 
 
 
Paul Glavich [MVP - ASP.NET]
Guest
Posts: n/a
 
      04-26-2004
The <forms....timeout="20" /> method is equivalent to setting the value in
code which you have mentioned below. Just that the former method is
declaritive via the web.config and the other is programatic (in code) and
not as easily changed.

The <sessionState timeout= ... /> setting is simply for session values/data.
So, the auth cookie may not have timed out, but the session data stored in
the session variables will be reset/lost after this period.

The IIS session timeout value can effectively be ignored as it only applies
(to the best of my knowledge) to the "classic asp" style session state.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"Paul" <(E-Mail Removed)> wrote in message
news:z$(E-Mail Removed)...
> Hi,
>
> I'm experimenting with forms authentication which I've got working (it's
> based on some technet stuff.) One thing however, is confusing me.
>
> A cookie is created based on the authentication ticket and there seem to
> be a number of expiry/expiration values. There's one in web.config in
> the <forms....timeout="20" /> element. There's also one in the creation
> of the authentication ticket. I believe that there's yet another in
> web.config to do with sessions and there may even be some in IIS!
>
> What I want is for the user to be timed out after a set time, so that if
> they walk away for longer than this time and they (or anyone else for
> that matter) request a secured page, then they are re-directed to the
> login page. I don't need it to automatically redirect on timeout (I
> suspect that might involve adding a refresh command to the page to be
> executed clientside)
>
> Also, if they continue using the app, I don't want them to be challenged
> to re-authenticate every (say) 20 mins.
>
> Which setting(s) do I have to set, or do I have to check in code on
> every page that the cookie is still "in date"?
>
> Thanks to anyone who can help my understanding.
>
> Paul
> --
> Paul



 
Reply With Quote
 
 
 
 
Hernan de Lahitte
Guest
Posts: n/a
 
      04-26-2004
If you have slidingExpiration turned on, the cookie lifetime will be
extended for the timeout period as long as the user hit any page under
FormsAuth within the timeframe specified by the timeout setting. So
FormsAuth will keep track of the cookie lifetime for you and if you set an
appropriate timeout value, you should have the desired behavior (if the user
keeps on using the app, there won't be any login page presented).


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul" <(E-Mail Removed)> wrote in message
news:z$(E-Mail Removed)...
> Hi,
>
> I'm experimenting with forms authentication which I've got working (it's
> based on some technet stuff.) One thing however, is confusing me.
>
> A cookie is created based on the authentication ticket and there seem to
> be a number of expiry/expiration values. There's one in web.config in
> the <forms....timeout="20" /> element. There's also one in the creation
> of the authentication ticket. I believe that there's yet another in
> web.config to do with sessions and there may even be some in IIS!
>
> What I want is for the user to be timed out after a set time, so that if
> they walk away for longer than this time and they (or anyone else for
> that matter) request a secured page, then they are re-directed to the
> login page. I don't need it to automatically redirect on timeout (I
> suspect that might involve adding a refresh command to the page to be
> executed clientside)
>
> Also, if they continue using the app, I don't want them to be challenged
> to re-authenticate every (say) 20 mins.
>
> Which setting(s) do I have to set, or do I have to check in code on
> every page that the cookie is still "in date"?
>
> Thanks to anyone who can help my understanding.
>
> Paul
> --
> Paul



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sessions timing out quickly despite very high timeout set in web.config Alex ASP .Net 7 08-24-2007 09:57 PM
ASP Sessions - site is timing out early! Nebulus ASP General 4 05-08-2007 07:02 PM
Firefox authenticated sessions Fast Eddie Computer Support 0 03-22-2007 09:15 PM
Prevent a page in an authenticated application from being authenticated Abhijit ASP General 0 04-12-2004 02:10 PM
Sessions of non-authenticated users expire en masse Jeff 'Jones' Putz ASP .Net 0 11-14-2003 01:48 AM



Advertisments