locked
Forms Authentication vs IIS Idle Time Out RRS feed

  • Question

  • User-1665555424 posted

    If I setup Forms Authentication with:

    <authentication mode="Forms">
          <forms loginUrl="/MyLogin/Index" timeout="2880"

    and IIS has Idle Time Out set to 20

    Will re-authentication be required after 20 minutes?

    I do not have the Machine or Encryption key set.  I do not use Session variables.

    I was thinking that IIS encrypts the cookie probably with the Machine Key and MAYBE a salt.  So if IIS resets after 20 the cookie would be invalid?

    If set my own Machine Key and Encryption key maybe the cookie would be good????

    Monday, November 17, 2014 5:36 PM

Answers

  • User281315223 posted

    Don't quote me on this, but I believe that Forms Authentication is quite a bit different as it is generally handled at the browser-level and thus isn't going to be susceptible to an IIS Idle Timeout (e.g. if you are logged in and you experience an Idle Timeout, you won't be required to reauthenticate). I'm not currently around an environment to test this theory out, but I believe that you should still be authenticated (you could try explicitly restarting your application pool while authenticated to test this).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 17, 2014 5:43 PM
  • User-1665555424 posted

    You're incorrect I tested it.  Unfortunately, yet another bad design feature in Forms Authentication.  Not as bad as converting 401 and 403 to 302s but pretty awful .  I knew this happened for Session Cookies, wasn't sure for the Forms cookie.

    If you don't specify your own encryption keys, it probably uses the webserver machine key with a salt.  Thus your authentication ticket timeout setting is pretty useless for a low volume site (like in the middle of the night).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 17, 2014 7:44 PM

All replies

  • User281315223 posted

    Don't quote me on this, but I believe that Forms Authentication is quite a bit different as it is generally handled at the browser-level and thus isn't going to be susceptible to an IIS Idle Timeout (e.g. if you are logged in and you experience an Idle Timeout, you won't be required to reauthenticate). I'm not currently around an environment to test this theory out, but I believe that you should still be authenticated (you could try explicitly restarting your application pool while authenticated to test this).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 17, 2014 5:43 PM
  • User-1665555424 posted

    You're incorrect I tested it.  Unfortunately, yet another bad design feature in Forms Authentication.  Not as bad as converting 401 and 403 to 302s but pretty awful .  I knew this happened for Session Cookies, wasn't sure for the Forms cookie.

    If you don't specify your own encryption keys, it probably uses the webserver machine key with a salt.  Thus your authentication ticket timeout setting is pretty useless for a low volume site (like in the middle of the night).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 17, 2014 7:44 PM