Forms authentication timeout vs sessionState timeout Options

codeling 1301 - 5556
@2020-11-13 15:13:23

In the web.config, there are session timeout settings in two places as below.

 <authentication mode="Forms">
  <forms loginUrl="~/Auth/SignOn.aspx" timeout="40" slidingExpiration="true" />
</authentication>

<sessionState timeout="30" />

Does anyone know if one takes precedent over the other, and how they are different.


codeling 1301 - 5556
@2020-11-13 15:15:59

The difference is that one Forms Authentication timeout has to do with authenticating the user and the SessionState timeout has to do with how long cached data is stored on the server. So they are very independent things, so one does not take precedence over the other.

The Forms Authentication timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated—they will be redirected to the login page automatically. The slidingExpiration=true value is basically saying that as long as the user makes a request within the timeout value, they will continue to be authenticated. If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session. For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes. The user may still be authenticated but the data in the Session may no longer be present. The Session Timeout value is always reset after every request.


codeling 1301 - 5556
@2020-11-13 15:36:54

A new session is started if a request is made that does not contain a session identifier, the session identifier is invalid, or the session associated with a session identifier has expired.

ASP.NET provides two events that help you manage user sessions. The Session_OnStart event is raised when a new session starts, and the Session_OnEnd event is raised when a session is abandoned or expires. Session events are specified in the Global.asax file for an ASP.NET application.

The Session_OnEnd event is not supported if the session Mode property is set to a value other than InProc, which is the default mode.

public void Session_OnStart()

{

}

public void Session_OnEnd()

{

}

Users browsing this topic
Guest