Reputation: 30071
Why set forms authentication timeout longer than session timeout?
I think I understand the difference between ASP.NET's "session" and "forms authentication". Session is basically used for storing info specific to that user's session (maybe the state of a search filter), and the forms authentication is used to remember that they should have access to certain things.
My question is, why is it ever desirable to have the forms authentication timeout be longer than the session timeout? In fact, by default, web.config sets forms authentication's timeout to be much longer.
Here are the 2 scenarios I see:
- Session times out before forms auth does. User loses things like search filters and although they can still see secured pages, things may look different and various things may reset. In addition, the developer has to worry about Session becoming
nullevery time they use it. - Forms auth times out before session does. User has to re-enter username and password, but they get back to the page they were on and with the session info intact (unless that has also timed out). Developer only has to worry about Session being
nullin one place - on login - and can initialize it there if necessary.
Why would scenario 1) ever be more desirable? Am I missing something?
Upvotes: 7
Views: 7063
Answers (1)
Reputation: 5986
The thing is Session timeout is a more critical setting than the other. Setting authentication timeout to a very long period will not affect the web application in the means of server resources. But if you set Session timeout to a long period this could cause memory problems under high stakes.
You are right about your statement. As a developer I would prefer 2 over 1. However there is an easy way to handle session expiration. Check out this SO question. One of the answers has a good solution to session expiration.
protected void Session_Start(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
{
FormsAuthentication.SignOut();
Response.Redirect("~/SessionEnd.aspx");
}
}
This way you can handle expired Session's in one place.
Upvotes: 6
Related Questions
- Forms authentication timeout vs sessionState timeout
- ASP.Net Session Timeout: Why 20 minutes used as default?
- What are possibilities that <sessionState> timeout is ignored when using forms authentication?
- Forms Authentication Timeout vs Session Timeout
- Differences in forms auth timeout and session timeout
- Form authentication timout is bigger then session timeout
- Why is Session State timeout overriding Forms Authentication timeout in my MVC3 application?
- Session timeout vs Form Authentication timeout
- What is different between forms Authentication timeout vs session timeout in Asp.net application?
- sql sessionState time out vs forms authentication timeout