Re: Authentication question

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 02/15/05 

Date: Mon, 14 Feb 2005 19:09:53 -0500

Yes.
I also found the settings (RTM) and chose to set a sliding timeout for the
cookie.
I just didn't know it existed. So I wasn't aware of why some testers
complained about having to login when I knew their session had not expired.

Much better now.
Thanks! 

-- 
Joe Fallon
"Scott Allen" <scott@nospam.odetocode.com> wrote in message 
news:cag111h0em7c7dqo3pg18oqo7doe80k47m@4ax.com...
> Hi Joe:
>
> The session timeout and forms authentication cookie timeout are
> independent, as you pointed out. The user could sit idle for 25
> minutes and have the session timeout but still have a good cookie and
> be authenticated.
>
> You could synchronize the two to use the same timeout value, but I
> would not assume that a user with a session is authenticated, or that
> an authenticated user has a session. For example you can imagine the
> user logging in then the application restarting (perhaps because
> web.config was touched). The user would still have a good
> authentication cookie but all of the inproc session state is gone.
>
> Helpful?
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/
>
>
> On Mon, 14 Feb 2005 09:59:46 -0500, "Joe Fallon"
> <jfallon1@nospamtwcny.rr.com> wrote:
>
>>I use Forms authentication and State Server and Cookies are enabled.
>>
>>Is this correct?
>>
>>If the session is set to timeout in 20 minutes that means that if there is
>>no activity for 20 minutes then the session will expire and the user will
>>have to log in again. But if they request pages then the 20 minute period
>>re-starts after
>>each page is requested.
>>
>>If the user is active for 20 minutes and then is idle for the next 15 the
>>session has not timed out and they should not have to log in again.
>>
>>But does the authentication ticket in the cookie expire in 30 minutes?
>>
>>If so, does THAT force a log in again?
>>
>>What is the "best" way to coordinate these 2 to minimize the amount of
>>re-logging in
>>and yet maintaining some basic level of security?
>>
>>Thanks!
>

Relevant Pages

  • Re: authentication cookie vs session cookie
    ... level of using authentication cookies on the client machines. ... authentication cookie on a manager's machine is stolen and used on a client ... > session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: authentication cookie vs session cookie
    ... doing 'cookie' authentication (effectively what you are doing when you use ... session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Session Variable Alternative
    ... The only way to avoid loss of data on a timeout is to use a cookie and store ... lengthen the timeout of a session in your web.config. ... It doesn't really matter what authentication method you use, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Persistent Cookies
    ... Yes I know that they arent used for session management. ... happen was the framework itself had set the timeout for a persistent cookie ... set the timeout for persistent cookies in our configuration. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Framework bug with Auth and Session state?
    ... So as long the browser stays open, ... cookie remains, ... the authentication never times out. ... Session info is stored on the server, using the session cookie only as an ...
    (microsoft.public.dotnet.framework.aspnet.security)