Forms authentication timeout vs sessionState timeout
They are different things.
The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after value number of minutes, the cookie will expire and the user will no longer be authenticated - they will be redirected to the login page automatically-. The slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, they will continue to be authenticated. If you set slidingExpiration=false the authentication cookie will expire after value number of minutes regardless of whether the user makes a request within the timeout value or not.
The SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session.
For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes.
The user may still be authenticated but the data in the Session may no longer be present.
The Session Timeout value is always reset after every request.
补充
One clarification: The forms authentication timeout sets the expiration time for the Ticket not necessarily for the cookie where the ticket may be stored. The cookie may have no expiration time at all (confusingly called a session cookie, which means it lasts until the user closes the browser), or there may not even be a cookie at all ("cookieless" forms authentication). In the case of a persistent cookie, forms authentication sets the cookie expiration and the ticket expiration to the same time.
Another clarification from MSDN: "To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed." So the cookie timeout is only reset if it is half over. Hence the suggestion to set it to 2x the session timeout.
Session timeout vs Forms Authentication timeout
问题
I have been using ASP.NET MVC 2, 3 for a couple years now and we are moving to MVC 4.
We're migrating to SimpleMembership and needed to make changes to the web.config.
However, suddenly I got utterly confused with the timeout values in web.config.
In addition to using SimpleMembership we also want to increase the session timeout from the standard 20 to 30 minutes, so I changed the following configuration setting.
<sessionState timeout="30" mode="InProc" />
I presume this is correct.
But then a co-worker of mine suggested that we also need to change the following timeout value from 20 to 30.
<forms loginUrl="~/Login" timeout="20" />
Is this necessary? If so, could someone explain how the two are related?
答案
Yes, and ideally the both timeout should be kept in sync. The best way to do this is using HttpModule or using filters in MVC. Now, why is this necessary..
Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity
and similarly session timeout indicates how long to preseve users session in case of any inactivity.
Now imagine this case... (simplified for clarification purpose).
You have a ecommerce application where the items are stored in a session, when the users "say" does an "Add to cart operation". Now how long you want this value available in session is determined by your session timeout.
But say your session timeout is 10 minutes and your forms authentication timeout is 30 minutes, so in case of any lack of activity, the user may lose what he has added to the cart after 20 minutes of inactivity wheres the users is still authenticated for another 20 minutes after session timeout....In this case after 10 minutes of inactivity the users session is lost while he still being logged in successfully. To avoid issues like this and there will be many more other cases, its better to keep the session and forms auth. timeout in sync.
Keeping both in sync avoid inconsistency in user experience. (There could be other use cases where session timeout could be less than auth timeout, in that case the application should handle all the edge cases)..
Hope I am able to present the example.. In case of any further clarification do revert back.
ASP.NET Session Timeouts
In ASP.NET there are lots of timeouts. In this blog entry I will be covering in great detail Session timeout due to the complexity of the issue and the fact that I can never remember where all the setting are and what they are for. I am not covering other timeouts except Script Timeout.
SIDE
NOTE: Web services that you consume have timeouts before ASP.NET stops
waiting for a response from a web service, but I am not covering that
here. The web services on the server side have timeouts that are
independent of the ASP.NET consuming the web service. I am also not
covering timeouts associated with database connections or authentication
either. It is however important that all these timeouts be be
compatible with each other, otherwise you will get undesirable behavior.
For example, don't set your execution time to less than the database
timeout. Or don't set the application recycle to be less than the
session timeout.
SessionState Timeout
This
is the number of minutes before an ASP.NET user session is terminated.
It must be an integer, and it is in minutes. The default is to terminate
the session after 20 minutes and the application will throw an
exception when accessing an terminated session. Another way to think of
this is that it is the time between requests for a given session (which
is per user) before a session is terminated.
I recommend reading Idle Timeout section below to see how these are related.
Session Timeout Event
When the session times out it fires an event called: Session_End
and then when the user hits the page again (after it has expired or the first time), it will start a new session and the Session_Start event is called.
It is important to know that the only thing you can really do in the Session_End event is do clean up.
This is because this event fire even if a user doesn't hit a page again.
In other words, if a session times out due to inactivity, the Session_End is fired even if the user never refreshes the page, etc.
It is independent of the page lifecycle.
These events are defined in the Global.asax file.
Detecting when a session has timed out
The short answer to this is that you have a session time when the following conditions are met:
Context.Session != null
AND Context.Session.IsNewSession == true
AND Page.Request.Headers["Cookie"] != null
AND Page.Request.Header["Cookie"].indexOf("ASP.NET_SessionId") >= 0
The long answer is read this blog for more details and sample code: http://www.eggheadcafe.com/articles/20051228.asp
and http://aspalliance.com/520
timeout in role manager
https://msdn.microsoft.com/en-us/library/ms164660(v=vs.100).aspx
https://msdn.microsoft.com/en-us/library/system.web.security.roles.cookietimeout(v=vs.110).aspx
<roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/MyApplication" cookieRequireSSL="true" cookieSlidingExpiration="true" cookieProtection="Encrypted" > <providers> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlServices" applicationName="MyApplication" /> </providers> </roleManager>
https://support.microsoft.com/en-us/help/910439
The forms authentication ticket times out
The other common cause for a user to be redirected is if the forms authentication ticket has expired. The forms authentication ticket can time out in two ways. The first scenario occurs if you use absolute expiration. With absolute expiration, the authentication ticket expires when the expiration time expires. For example, you set an expiration of 20 minutes, and a user visits the site at 2:00 PM. The user will be redirected to the login page if the user visits the site after 2:20 PM.
If you use sliding expiration, the scenario is a
bit more complicated. The cookie and the resulting ticket are updated if
the user visits the site after the expiration time is half-expired. For
example, you set an expiration of 20 minutes by using sliding
expiration. A user visits the site at 2:00 PM, and the user receives a
cookie that is set to expire at 2:20 PM. The expiration is only updated
if the user visits the site after 2:10 PM. If the user visits the site
at 2:09 PM, the ticket is not updated because half of the expiration
time has not passed. If the user then waits 12 minutes, visiting the
site at 2:21 PM, the ticket will be expired. The user is redirected to
the login page.
https://www.codeproject.com/Articles/534693/Authentication-vs-Session-timeout-Session-expired
设置timeout
Forms authentication的timeout设置
<authentication mode="Forms"> <forms timeout="1440" slidingExpiration="true" /> </authentication>
session的timeout的设置
<sessionState timeout="1440" />