locked
Forms Authentication Timeout vs Session State Timeout RRS feed

  • Question

  • User-94285869 posted

    Hi,

    I've read from here:  http://codeasp.net/blogs/vivek_iit/microsoft-net/848/forms-authentication-timeout-vs-session-state-timeout  that it's better to set Forms Authentication timeout value to be greater than the Session State Timeout value.

    In this case, I need to inform the user that the session state is about to expire AND also to tell user the authentication ticket is about to expire.  Seems like a double-work (if I set different values for Forms Authentication and Session State). 

    Is there a way to use a popup alert and countdown to alert user of the situation in each case, and have a button that the user can click to sort of "Keep me logged in"?

    Appreciate any help.

    Thursday, October 9, 2014 9:43 AM

Answers

  • User-760709272 posted

    Session and authentication are not related, if you want to link them you're going to have a buggy solution.

    If users want to stay logged in then give them a "remember me" option so the auth cookie remains active.

    Ignore handling session expirations, ignore trying to give users an indication their session is about to expire...again if you try these things you'll just end up with a buggy solution.

    What you should do is make sure your site behaves intelligently for users that have no session (ie people who have deep-linked to your site, or people who have left their browser idle).

    As a totally separate issue you should also ensure your site behaves intelligently for users who are not authenticated (again deep linkers without a "remember me" or people who have had their auth timed out).

    With the above two things in place your site will respect the stateless nature of the internet and act properly.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 9, 2014 10:02 AM

All replies

  • User-760709272 posted

    Session and authentication are not related, if you want to link them you're going to have a buggy solution.

    If users want to stay logged in then give them a "remember me" option so the auth cookie remains active.

    Ignore handling session expirations, ignore trying to give users an indication their session is about to expire...again if you try these things you'll just end up with a buggy solution.

    What you should do is make sure your site behaves intelligently for users that have no session (ie people who have deep-linked to your site, or people who have left their browser idle).

    As a totally separate issue you should also ensure your site behaves intelligently for users who are not authenticated (again deep linkers without a "remember me" or people who have had their auth timed out).

    With the above two things in place your site will respect the stateless nature of the internet and act properly.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 9, 2014 10:02 AM
  • User-94285869 posted

    Hmmmm....okay.  That's a lot easier then.  My site is only for authenticated users.  I do have a jquery code to handle inactivity.

    Thanks for the info.

    Thursday, October 9, 2014 11:53 AM