asp.net 2.0 session timeout

Question

I apologize in advance for this likely being asked before. I have an asp.net 2.0 web application and am trying to set the session timeout.

My first attempt was to add this to the web.config. < sessionState mode="InProc" timeout="300" >

Users would tell me though that after about 20 minutes of being idle and then trying to do something again on the site they'd be redirected back to the login page.

So now I'm trying timeout="60" in my < forms tag in the web.config.

I also tried Session.Timeout=60 in my global.asax.

Should these work? Do I need something else? Thank you for your time and help.

Answer 1

Session timeout and the authentication timeout are two separate things.

Any user that comes to your site gets a session, regardless of whether or not they've logged in. After they have been inactive for the specified timeout, their session is gone and they get assigned a new session the next time they hit your site.

Forms Authentication uses an authentication ticket in a cookie that also has a timeout. If the authentication timeout is shorter than the session timeout, the authentication ticket will expire and the users will still be logged out - but they'll still have their session data!

You need to look for the authentication timeout in your web.config and adjust it to match the session timeout.

Answer 2

From another forum post.

There are two different types of timeout. One is an authentication timeout (which redirects you to a login page) and the other is a session timeout (which drops all session vars). I set the session timeout in global.asax session_start by using session.timeout. IN your webconfig, you can set the authentication timeout by editing this tag:

<authentication mode="Forms"> 
    <forms timeout="1024"/> 
</authentication>