Re: Authentication question

From: Scott Allen (scott_at_nospam.odetocode.com)
Date: 02/14/05 

Date: Mon, 14 Feb 2005 10:44:18 -0500

Hi Joe:

The session timeout and forms authentication cookie timeout are
independent, as you pointed out. The user could sit idle for 25
minutes and have the session timeout but still have a good cookie and
be authenticated.

You could synchronize the two to use the same timeout value, but I
would not assume that a user with a session is authenticated, or that
an authenticated user has a session. For example you can imagine the
user logging in then the application restarting (perhaps because
web.config was touched). The user would still have a good
authentication cookie but all of the inproc session state is gone.

Helpful? 

--
Scott
http://www.OdeToCode.com/blogs/scott/
On Mon, 14 Feb 2005 09:59:46 -0500, "Joe Fallon"
<jfallon1@nospamtwcny.rr.com> wrote:
>I use Forms authentication and State Server and Cookies are enabled.
>
>Is this correct?
>
>If the session is set to timeout in 20 minutes that means that if there is
>no activity for 20 minutes then the session will expire and the user will
>have to log in again. But if they request pages then the 20 minute period
>re-starts after
>each page is requested.
>
>If the user is active for 20 minutes and then is idle for the next 15 the
>session has not timed out and they should not have to log in again.
>
>But does the authentication ticket in the cookie expire in 30 minutes?
>
>If so, does THAT force a log in again?
>
>What is the "best" way to coordinate these 2 to minimize the amount of
>re-logging in
>and yet maintaining some basic level of security?
>
>Thanks!
Loading