Forms authentication timeout vs sessionState timeout

They are different things.

The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated - they will be redirected to the login page automatically-. The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, they will continue to be authenticated. If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session.

For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes.

The user may still be authenticated but the data in the Session may no longer be present.

The Session Timeout value is always reset after every request.

Session timeout vs Forms Authentication timeout

问题

I have been using ASP.NET MVC 2, 3 for a couple years now and we are moving to MVC 4.
We're migrating to SimpleMembership and needed to make changes to the web.config.  
However, suddenly I got utterly confused with the timeout values in web.config.

In addition to using SimpleMembership we also want to increase the session timeout from the standard 20 to 30 minutes, so I changed the following configuration setting.

<sessionState timeout="30" mode="InProc" />

I presume this is correct. 
But then a co-worker of mine suggested that we also need to change the following timeout value from 20 to 30.

<forms loginUrl="~/Login" timeout="20" />

Is this necessary?  If so, could someone explain how the two are related?

答案

Yes, and ideally the both timeout should be kept in sync.  The best way to do this is using HttpModule or using filters in MVC.  Now, why is this necessary..

Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity

and similarly session timeout indicates how long to preseve users session in case of any inactivity.

Now imagine this case... (simplified for clarification purpose).

You have a ecommerce application where the items are stored in a session, when the users "say" does an "Add to cart operation".  Now how long you want this value available in session is determined by your session timeout.

But say your session timeout is 10 minutes and your forms authentication timeout is 30 minutes, so in case of any lack of activity, the user may lose what he has added to the cart after 20 minutes of inactivity wheres the users is still authenticated for another 20 minutes after session timeout....In this case after 10 minutes of inactivity the users session is lost while he still being logged in successfully.  To avoid issues like this and there will be many more other cases, its better to keep the session and forms auth. timeout in sync.

Keeping both in sync avoid inconsistency in user experience.  (There could be other use cases where session timeout could be less than auth timeout, in that case the application should handle all the edge cases)..

Hope I am able to present the example.. In case of any further clarification do revert back.

ASP.NET Session Timeouts

In ASP.NET there are lots of timeouts. In this blog entry I will be covering in great detail Session timeout due to the complexity of the issue and the fact that I can never remember where all the setting are and what they are for. I am not covering other timeouts except Script Timeout.

SIDE
NOTE: Web services that you consume have timeouts before ASP.NET stops
waiting for a response from a web service, but I am not covering that
here. The web services on the server side have timeouts that are
independent of the ASP.NET consuming the web service. I am also not
covering timeouts associated with database connections or authentication
either. It is however important that all these timeouts be be
compatible with each other, otherwise you will get undesirable behavior.
For example, don't set your execution time to less than the database
timeout. Or don't set the application recycle to be less than the
session timeout.

SessionState Timeout

This
is the number of minutes before an ASP.NET user session is terminated.
It must be an integer, and it is in minutes. The default is to terminate
the session after 20 minutes and the application will throw an
exception when accessing an terminated session. Another way to think of
this is that it is the time between requests for a given session (which
is per user) before a session is terminated.

I recommend reading Idle Timeout section below to see how these are related.

Session Timeout Event

When
the session times out it fires an event called: Session_End

and then
when the user hits the page again (after it has expired or the first
time), it will start a new session and the Session_Start event is
called.

It is important to know that the only thing you can really do in
the Session_End event is do clean up.

This is because this event fire
even if a user doesn't hit a page again.

In other words, if a session
times out due to inactivity, the Session_End is fired even if the user
never refreshes the page, etc.

It is independent of the page lifecycle.

These events are defined in the Global.asax file.

Detecting when a session has timed out

The short answer to this is that you have a session time when the following conditions are met:
Context.Session != null
AND Context.Session.IsNewSession == true
AND Page.Request.Headers["Cookie"] != null
AND Page.Request.Header["Cookie"].indexOf("ASP.NET_SessionId") >= 0

The long answer is read this blog for more details and sample code: http://www.eggheadcafe.com/articles/20051228.asp
and http://aspalliance.com/520

timeout in role manager

https://msdn.microsoft.com/en-us/library/ms164660(v=vs.100).aspx

https://msdn.microsoft.com/en-us/library/system.web.security.roles.cookietimeout(v=vs.110).aspx

<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/MyApplication"
cookieRequireSSL="true"
cookieSlidingExpiration="true"
cookieProtection="Encrypted" >
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="MyApplication" />
</providers>
</roleManager>

https://support.microsoft.com/en-us/help/910439

The forms authentication ticket times out

The other common cause for a user to be redirected is if the forms authentication ticket has expired. The forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, the authentication ticket expires when the expiration time expires. For example, you set an expiration of 20 minutes, and a user visits the site at 2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM.

If you use sliding expiration, the scenario is a
bit more complicated. The cookie and the resulting ticket are updated if
the user visits the site after the expiration time is half-expired. For
example, you set an expiration of 20 minutes by using sliding
expiration. A user visits the site at 2:00 PM, and the user receives a
cookie that is set to expire at 2:20 PM. The expiration is only updated
if the user visits the site after 2:10 PM. If the user visits the site
at 2:09 PM, the ticket is not updated because half of the expiration
time has not passed. If the user then waits 12 minutes, visiting the
site at 2:21 PM, the ticket will be expired. The user is redirected to
the login page.

https://www.codeproject.com/Articles/534693/Authentication-vs-Session-timeout-Session-expired

https://support.microsoft.com/en-us/help/910443/understanding-the-forms-authentication-ticket-and-cookie

设置timeout

Forms authentication的timeout设置

<authentication mode="Forms">
<forms timeout="1440" slidingExpiration="true" />
</authentication>

session的timeout的设置

 <sessionState timeout="1440" />

timeout in asp.net的更多相关文章

  1. asp.net mvc Session RedisSessionStateProvider锁的实现

    最近项目用到了RedisSessionStateProvider来保存session,发现比内存session慢,后来慢慢了解,发现asp.net session是有锁的.我在文章 你的项目真的需要S ...

  2. [转]SQL Server Reporting Services - Timeout Settings

    本文转自:https://social.technet.microsoft.com/wiki/contents/articles/23508.sql-server-reporting-services ...

  3. Authentication in asp.net

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-o ...

  4. web.config 配置

    一.认识Web.config文件   Web.config 文件是一个xml文本文件,它用来储存 asp.NET Web 应用程序的配置信息(如最常用的设置asp.NET Web 应用程序的身份验证方 ...

  5. 关于多台机器之前session共享,sessionState mode="StateServer" 问题的困扰

    .net 多台机器共享session是很老的技术,一直很少用到session. 最近就出现了一个问题:三台前端,其中一台保存的session值死活不对,一样的环境,一样的配置文件,就是和另外两台获得的 ...

  6. SqlServer Session共享注意点

    公司下派任务,之前的网站是一台服务器,由于用户过多,负载过大,现在老大要求多加一台服务器.加就加贝,应该跟我这DEV没有 关系吧,应该不会碰到Source的吧.但是,之前网站有一些数据是放在Sessi ...

  7. Web.config文件 详解

    一.认识Web.config文件Web.config 文件是一个XML文本文件,它用来储存 ASP.NET Web 应用程序的配置信息(如最常用的设置ASP.NET Web 应用程序的身份验证方式), ...

  8. Web.Config全攻略

    一.认识Web.config文件   Web.config 文件是一个xml文本文件,它用来储存 asp.NET Web 应用程序的配置信息(如最常用的设置asp.NET Web 应用程序的身份验证方 ...

  9. ASP.NET Misconfiguration: Excessive Session Timeout

    Abstract: An overly long authentication timeout gives attackers more time to potentially compromise ...

随机推荐

  1. day14-二分法、匿名函数、内置函数以及面向过程编程

    目录 二分法 匿名函数 内置函数 面向过程编程 二分法 二分法查找适用于数据量较大时,但是数据需要先排好顺序.主要思想是:(设查找的数组区间为array[low, high]) (1)确定该区间的中间 ...

  2. netstat查看服务器连接数端口并发数

    简介 Netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Member ...

  3. CAD在网页中如何实现嵌套打印?

    当用户需要打印两个控件的图纸时,可以采用嵌套打印实现.点击此处在线演示. 实现嵌套打印功能,首先将两个控件放入网页中,js代码如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ...

  4. 删除链表中重复的结点_java

    package algorithms; /* public class ListNode { int val; ListNode next = null; ListNode(int val) { th ...

  5. docker 1-->docker machine 转载

    Docker Machine 是 Docker 官方编排(Orchestration)项目之一,负责在多种平台上快速安装 Docker 环境. Docker Machine 是一个工具,它允许你在虚拟 ...

  6. 17Aspectij

    17Aspectij-2018/07/31 1.Aspectj基于xml 前置通知 method : 通知,及方法名 pointcut :切入点表达式,此表达式只能当前通知使用. pointcut-r ...

  7. 基于虚拟机的centos6.5 搭建本地光盘yum源

    在线yum安装必须要保持服务器能够连入网络并且他下载的还会比较慢因为地址大部分多是国外的下载站.另外yum在线下载的都是比较新的软件包,可能不是很稳定,那么使用yum的本地资源就是光盘里的RPM包,让 ...

  8. linux diff-比较给定的两个文件的不同

    推荐:更多Linux 文件查找和比较 命令关注:linux命令大全 diff命令在最简单的情况下,比较给定的两个文件的不同.如果使用“-”代替“文件”参数,则要比较的内容将来自标准输入.diff命令是 ...

  9. config对象的使用及常用方法

    config对象的使用及常用方法 制作人:全心全意 config对象主要用于取得服务器的配置信息.通过pageContext对象的getServletConfig()方法可以获取一个config对象. ...

  10. noip模拟赛 列车调度

    [ 问题描述 ] 有N辆列车,标记为1,2,3,…,N.它们按照一定的次序进站,站台共有K个轨道,轨道遵从 先进先出的原则.列车进入站台内的轨道后可以等待任意时间后出站,且所有列车不可后退.现在要使出 ...