Forms authenitcation timeout does not seem to work, what am I doing wrong?

Question

The ASP.NET application kicks out the users after 20 min even though it has the following in the Web.config and the users are posting the forms:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>

Reading this I am getting an impression that I need to add sliding expiration AND sessionState set to at least 2880 in order to achieve at least 48 min timeout that would be re-started every time the user does a POST.

Is that correct?

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true"/>
</authentication>

<sessionState mode="InProc" cookieless="false" timeout="3000" />

Answer 1

Authentication and session state are different entities. The timeout attribute under the authentication tag sets the time before the authentication cookie expires (in minutes). You can actually view the cookie itself in the Chrome browser within Developer Tools -> Resources -> Cookies (.ASPXAUTH is the default name). By setting sliding expiration equal to true, you will renew the cookie each time an authenticated user submits a request.

Session state is controlling the amount of time before the session expires. Once again, submitting a request will reset the timer. In many scenarios, web applications will require both the authentication cookie to be valid and the session to be current in order for the user to remain logged in. It's also often a bad idea to set the session timeout to a very long value (more than a couple hours) for security reasons. If you did want to maintain the current session for a long period of time regardless of activity, however, you would set the timeout value as you have done.

In your case, it sounds like you do need to set both timeout values to the desired amount of time if you want the user to remain logged in even despite inactivity.