Session Timeout

  • Thread starter Thread starter Antonio
  • Start date Start date
A

Antonio

Hi, everyone,

I need the web application's session to expire after 20 minutes and I added
this in the web.config file but it is not working. I was able to go onto
the default.aspx page after a couple of days that I haven't logged on and I
was not prompted to. Any suggestions? Thanks
<authentication mode="Forms">

<forms name="logincookie" loginUrl="login.aspx" protection="All"
timeout="20"/>

</authentication>
 
Antonio,

Are you sure this is a matter of the session timing out? How do you
know that this is not the result of an authentication cookie being placed on
your machine to identify you. I would bet if you looked at the session ids,
they are different.
 
Hi, Nicholas, thank you for replying. I am not saving the sessions in a
table, I would like people to log onto the web app and after 20 minutes
being challenged again with a login.

Oh, so, I have to save the session so that there is a time start and end for
the app to compare, don't I ?

Antonio
Nicholas Paldino said:
Antonio,

Are you sure this is a matter of the session timing out? How do you
know that this is not the result of an authentication cookie being placed
on your machine to identify you. I would bet if you looked at the session
ids, they are different.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Antonio said:
Hi, everyone,

I need the web application's session to expire after 20 minutes and I
added this in the web.config file but it is not working. I was able to
go onto the default.aspx page after a couple of days that I haven't
logged on and I was not prompted to. Any suggestions? Thanks
<authentication mode="Forms">

<forms name="logincookie" loginUrl="login.aspx" protection="All"
timeout="20"/>

</authentication>
 
Antonio,

You don't have to save the session id necessarily. Just prevent your
app from allowing people to log on automatically based on cookie information
that they might have on their machine.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Antonio said:
Hi, Nicholas, thank you for replying. I am not saving the sessions in a
table, I would like people to log onto the web app and after 20 minutes
being challenged again with a login.

Oh, so, I have to save the session so that there is a time start and end
for the app to compare, don't I ?

Antonio
Nicholas Paldino said:
Antonio,

Are you sure this is a matter of the session timing out? How do you
know that this is not the result of an authentication cookie being placed
on your machine to identify you. I would bet if you looked at the
session ids, they are different.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Antonio said:
Hi, everyone,

I need the web application's session to expire after 20 minutes and I
added this in the web.config file but it is not working. I was able to
go onto the default.aspx page after a couple of days that I haven't
logged on and I was not prompted to. Any suggestions? Thanks
<authentication mode="Forms">

<forms name="logincookie" loginUrl="login.aspx" protection="All"
timeout="20"/>

</authentication>
 
Well, is the section in the web.config enough?


Nicholas Paldino said:
Antonio,

You don't have to save the session id necessarily. Just prevent your
app from allowing people to log on automatically based on cookie
information that they might have on their machine.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Antonio said:
Hi, Nicholas, thank you for replying. I am not saving the sessions in a
table, I would like people to log onto the web app and after 20 minutes
being challenged again with a login.

Oh, so, I have to save the session so that there is a time start and end
for the app to compare, don't I ?

Antonio
Nicholas Paldino said:
Antonio,

Are you sure this is a matter of the session timing out? How do you
know that this is not the result of an authentication cookie being
placed on your machine to identify you. I would bet if you looked at
the session ids, they are different.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Hi, everyone,

I need the web application's session to expire after 20 minutes and I
added this in the web.config file but it is not working. I was able to
go onto the default.aspx page after a couple of days that I haven't
logged on and I was not prompted to. Any suggestions? Thanks
<authentication mode="Forms">

<forms name="logincookie" loginUrl="login.aspx" protection="All"
timeout="20"/>

</authentication>
 
Antonio,
You are confusing FormsAuthentication ticket (cookie) timeout with ASP.NET
SessionID ( also a cookie) timeout. They are two separate and distinct things.

Read up on the way to set up your Forms Authentication cookie Name and
expiration policy in your web.config file. You can also set the properties
programmatically with the FormsAuthentication class.

Peter
 
Thank you Peter. Can you tell me where I can find more information? I only
read the MS VS C#.net step by step and they only had the section in the
web.config file.

Antonio
 
Antonio,
All of this kind of "stuff" is covered extensively in the MSDN Library
online documentation, as well as the Visual Studio / .NET Framework help
files that install with the product. You have to get used to the process of
looking this stuff up for yourself or you will be spending all your time
making posts to newsgroups and waiting around for answers.
Here's a link to the MSDN2 member list for the FormsAuthentication class:

http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication_members.aspx

Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com
 
Back
Top