Forms authentication timeout vs sessionState timeout

Forms authentication timeout会导致用户退出，重定向到登陆页面

sessionState和用户登录状态无关，和session里面存储的数据有关。

需要理清楚的概念是:

1.客户端和服务端建立连接之后，就有了session

2.服务端给每个用户分配了user session，是一个session variable list

3.客户端的cookie list里面会新增一个cookie, cookie name是session name,cookie value是session id。

FormsAuthentication的过期时间，直接存储在ticket里面，并且下发一个新的cookie到客户端。

这个新的cookie的cookie name是FormsAuthentication.CookieName，value是加密之后的ticket。

并且这个cookie本身还会有自己的过期时间

They are different things. The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated - they will be redirected to the login page automatically-. The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, they will continue to be authenticated. If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session. For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes. The user may still be authenticated but the data in the Session may no longer be present. The Session Timeout value is always reset after every request.

<authentication mode="Forms">
      <forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH_cms6000" timeout="1440" slidingExpiration="true" path="/"/>
    </authentication>

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />

Forms Authentication Timeout vs Session Timeout

To be on the safe side: TimeOut(Session) <= TimeOut(FormsAuthentication) * 2
If you want to show page other than specified in loginUrl attribute after authentication timeout you need to handle this manually as ASP.NET does not provide a way of doing it.

To achieve #2 you can manually check the cookie and its AuthenticationTicket for expiration and redirect to your custom page if they have expired.
You can do in it in one of the events: AcquireRequestState, AuthenticateRequest.

Sample code in the event can look like:

// Retrieve AuthenticationCookie
var cookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie == null) return;
FormsAuthenticationTicket ticket = null;
try {
    ticket = FormsAuthentication.Decrypt(cookie.Value);
} catch (Exception decryptError) {
    // Handle properly
}
if (ticket == null) return; // Not authorised
if (ticket.Expiration > DateTime.Now) {
    Response.Redirect("SessionExpiredPage.aspx"); // Or do other stuff here
}

质疑

Are you sure that you want to have Session.Timeout < FormsAuthentication.Timeout * 2? This means that the Session can be abandoned while the user is still logged in. Anywhere that references Session variables will start having NullReferenceExceptions.