Forms authentication timeout vs sessionState timeout

They are different things.

The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated - they will be redirected to the login page automatically-. The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, they will continue to be authenticated. If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session.

For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes.

The user may still be authenticated but the data in the Session may no longer be present.

The Session Timeout value is always reset after every request.

Session timeout vs Forms Authentication timeout

问题

I have been using ASP.NET MVC 2, 3 for a couple years now and we are moving to MVC 4.
We're migrating to SimpleMembership and needed to make changes to the web.config.  
However, suddenly I got utterly confused with the timeout values in web.config.

In addition to using SimpleMembership we also want to increase the session timeout from the standard 20 to 30 minutes, so I changed the following configuration setting.

<sessionState timeout="30" mode="InProc" />

I presume this is correct. 
But then a co-worker of mine suggested that we also need to change the following timeout value from 20 to 30.

<forms loginUrl="~/Login" timeout="20" />

Is this necessary?  If so, could someone explain how the two are related?

答案

Yes, and ideally the both timeout should be kept in sync.  The best way to do this is using HttpModule or using filters in MVC.  Now, why is this necessary..

Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity

and similarly session timeout indicates how long to preseve users session in case of any inactivity.

Now imagine this case... (simplified for clarification purpose).

You have a ecommerce application where the items are stored in a session, when the users "say" does an "Add to cart operation".  Now how long you want this value available in session is determined by your session timeout.

But say your session timeout is 10 minutes and your forms authentication timeout is 30 minutes, so in case of any lack of activity, the user may lose what he has added to the cart after 20 minutes of inactivity wheres the users is still authenticated for another 20 minutes after session timeout....In this case after 10 minutes of inactivity the users session is lost while he still being logged in successfully.  To avoid issues like this and there will be many more other cases, its better to keep the session and forms auth. timeout in sync.

Keeping both in sync avoid inconsistency in user experience.  (There could be other use cases where session timeout could be less than auth timeout, in that case the application should handle all the edge cases)..

Hope I am able to present the example.. In case of any further clarification do revert back.

ASP.NET Session Timeouts

In ASP.NET there are lots of timeouts. In this blog entry I will be covering in great detail Session timeout due to the complexity of the issue and the fact that I can never remember where all the setting are and what they are for. I am not covering other timeouts except Script Timeout.

SIDE
NOTE: Web services that you consume have timeouts before ASP.NET stops
waiting for a response from a web service, but I am not covering that
here. The web services on the server side have timeouts that are
independent of the ASP.NET consuming the web service. I am also not
covering timeouts associated with database connections or authentication
either. It is however important that all these timeouts be be
compatible with each other, otherwise you will get undesirable behavior.
For example, don't set your execution time to less than the database
timeout. Or don't set the application recycle to be less than the
session timeout.

SessionState Timeout

This
is the number of minutes before an ASP.NET user session is terminated.
It must be an integer, and it is in minutes. The default is to terminate
the session after 20 minutes and the application will throw an
exception when accessing an terminated session. Another way to think of
this is that it is the time between requests for a given session (which
is per user) before a session is terminated.

I recommend reading Idle Timeout section below to see how these are related.

Session Timeout Event

When
the session times out it fires an event called: Session_End

and then
when the user hits the page again (after it has expired or the first
time), it will start a new session and the Session_Start event is
called.

It is important to know that the only thing you can really do in
the Session_End event is do clean up.

This is because this event fire
even if a user doesn't hit a page again.

In other words, if a session
times out due to inactivity, the Session_End is fired even if the user
never refreshes the page, etc.

It is independent of the page lifecycle.

These events are defined in the Global.asax file.

Detecting when a session has timed out

The short answer to this is that you have a session time when the following conditions are met:
Context.Session != null
AND Context.Session.IsNewSession == true
AND Page.Request.Headers["Cookie"] != null
AND Page.Request.Header["Cookie"].indexOf("ASP.NET_SessionId") >= 0

The long answer is read this blog for more details and sample code: http://www.eggheadcafe.com/articles/20051228.asp
and http://aspalliance.com/520

timeout in role manager

https://msdn.microsoft.com/en-us/library/ms164660(v=vs.100).aspx

https://msdn.microsoft.com/en-us/library/system.web.security.roles.cookietimeout(v=vs.110).aspx

<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/MyApplication"
cookieRequireSSL="true"
cookieSlidingExpiration="true"
cookieProtection="Encrypted" >
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="MyApplication" />
</providers>
</roleManager>

https://support.microsoft.com/en-us/help/910439

The forms authentication ticket times out

The other common cause for a user to be redirected is if the forms authentication ticket has expired. The forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, the authentication ticket expires when the expiration time expires. For example, you set an expiration of 20 minutes, and a user visits the site at 2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM.

If you use sliding expiration, the scenario is a
bit more complicated. The cookie and the resulting ticket are updated if
the user visits the site after the expiration time is half-expired. For
example, you set an expiration of 20 minutes by using sliding
expiration. A user visits the site at 2:00 PM, and the user receives a
cookie that is set to expire at 2:20 PM. The expiration is only updated
if the user visits the site after 2:10 PM. If the user visits the site
at 2:09 PM, the ticket is not updated because half of the expiration
time has not passed. If the user then waits 12 minutes, visiting the
site at 2:21 PM, the ticket will be expired. The user is redirected to
the login page.

https://www.codeproject.com/Articles/534693/Authentication-vs-Session-timeout-Session-expired

https://support.microsoft.com/en-us/help/910443/understanding-the-forms-authentication-ticket-and-cookie

设置timeout

Forms authentication的timeout设置

<authentication mode="Forms">
<forms timeout="1440" slidingExpiration="true" />
</authentication>

session的timeout的设置

 <sessionState timeout="1440" />

timeout in asp.net的更多相关文章

  1. asp.net mvc Session RedisSessionStateProvider锁的实现

    最近项目用到了RedisSessionStateProvider来保存session,发现比内存session慢,后来慢慢了解,发现asp.net session是有锁的.我在文章 你的项目真的需要S ...

  2. [转]SQL Server Reporting Services - Timeout Settings

    本文转自:https://social.technet.microsoft.com/wiki/contents/articles/23508.sql-server-reporting-services ...

  3. Authentication in asp.net

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-o ...

  4. web.config 配置

    一.认识Web.config文件   Web.config 文件是一个xml文本文件,它用来储存 asp.NET Web 应用程序的配置信息(如最常用的设置asp.NET Web 应用程序的身份验证方 ...

  5. 关于多台机器之前session共享,sessionState mode="StateServer" 问题的困扰

    .net 多台机器共享session是很老的技术,一直很少用到session. 最近就出现了一个问题:三台前端,其中一台保存的session值死活不对,一样的环境,一样的配置文件,就是和另外两台获得的 ...

  6. SqlServer Session共享注意点

    公司下派任务,之前的网站是一台服务器,由于用户过多,负载过大,现在老大要求多加一台服务器.加就加贝,应该跟我这DEV没有 关系吧,应该不会碰到Source的吧.但是,之前网站有一些数据是放在Sessi ...

  7. Web.config文件 详解

    一.认识Web.config文件Web.config 文件是一个XML文本文件,它用来储存 ASP.NET Web 应用程序的配置信息(如最常用的设置ASP.NET Web 应用程序的身份验证方式), ...

  8. Web.Config全攻略

    一.认识Web.config文件   Web.config 文件是一个xml文本文件,它用来储存 asp.NET Web 应用程序的配置信息(如最常用的设置asp.NET Web 应用程序的身份验证方 ...

  9. ASP.NET Misconfiguration: Excessive Session Timeout

    Abstract: An overly long authentication timeout gives attackers more time to potentially compromise ...

随机推荐

  1. Container Views

    https://developer.apple.com/documentation/uikit/views_and_controls Container Views Organize and pres ...

  2. .net core Elasticsearch 查询更新

    记录一下: 数据结构如下: public class ESUserTransaction { public long AccountId { get; set; } public string Var ...

  3. C# HttpWebRequest Post Get 请求数据

    Post请求 1 //data 2 string cookieStr = "Cookie信息"; 3 string postData = string.Format("u ...

  4. nodejs连接数据库

    var express = require("express");var query = require("querystring");var mysql = ...

  5. JavaScript 实现页面中录音功能

    页面中实现录音需要使用浏览器提供的 Media​Recorder API,所以前提是需要浏览器支持 MediaStream Recording 相关的功能. 以下代码默认工作在 Chrome 环境中. ...

  6. MS SQL Server查询 本日、本周、本月、本季度、本年起始时间

    参数声明 declare @beginTime datetime, --查询开始时间 @endTime datetime, --查询结束时间 @queryTimeType tinyint; --查询时 ...

  7. Python爬虫:抓取手机APP的数据

    摘要 大多数APP里面返回的是json格式数据,或者一堆加密过的数据 .这里以超级课程表APP为例,抓取超级课程表里用户发的话题. 1.抓取APP数据包 表单: 表单中包括了用户名和密码,当然都是加密 ...

  8. 微信小程序中使用ECharts 异步加载数据 实现图表

    <!--pages/bar/index.wxml--> <view class="container"> <ec-canvas id="my ...

  9. MyBatis 的基本要素—SQL 映射文件

    MyBatis 真正的强大在于映射语句,相对于它强大的功能,SQL 映射文件的配置却是相当简单.对比 SQL 映射配置和 JDBC 代码,发现使用 SQL 映射文件配置可减少 50% 以上的代码,并且 ...

  10. Oracle 参数文件

    参数文件(10g中的参数文件) 主要用来记录数据库的配置文件,在数据库启动时,Oracle读取参数文件,并根据参数文件中的参数设置来配置数据库. 如内存池的分配,允许打开的进程数和会话数等. 两类参数 ...