Forms Authentication timeout vs session state timeout

Forms Authentication timeout vs session state timeout

In ASP.NET web applications, when using Forms Authentication, we need to be aware of two different time outs when dealing with a logged in user relying on session data:

1. Forms Authentication ticket timeout

2. Session state time out

When the user is trying to login, it is best to create a forms authentication ticket yourself after the user credentials are verified using the code below:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(30), rememberMe, password);

Note that here we have used a the default time out value for the auth ticket: 30 minutes.

Then you can encrypt this ticket and put it inside a cookie so that it can be persisted later on:

    string ticketString = FormsAuthentication.Encrypt(ticket);
               HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticketString);

               if (rememberMe)
                {
                    cookie.Expires = DateTime.Now.AddMonths(10);
                }

Here I am saving the persistent cookie for 10 months if the user has clicked the Remember Me checkbox. If the user has not selected Remember Me, then the logged in user will have 30 minutes before the ticket in the cookie times out  (the cookie itself will not expire unless the user closes his browser window). Also, by default the ticket expiry has slidingExpiration=true, this means the timeout will extend by another 30 minutes if a request is made and more than half of the timeout interval has elapsed. For security reasons, its best to turn off sliding expiration.

FormsAuthentication timeout is greater than session timeout

Given this case, assume the session has the default time out of 20 minutes, this means that after 20 minutes, user's session data will expire (if user does not click any other page in your application to avoid sliding session timeout extension), even though he will be logged in because the forms auth ticket timeout is set to 30 minutes. You can handle this scenario by re-populating the session data in cases Session["var"]==null.

FormsAuthentication timeout is less than session timeout

Let's take the other case: forms auth timeout (assume its 10 minutes) is less than the session timeout (20 minutes). So when the forms authentication times out (assuming user is one a lengthy phone call after logging in), the user will be redirected to the login page after 10 minutes.  This can be a usability issue for the users while trying to add lengthy data on your website, like writing a long article. The moment they click submit, they will be redirected to the login page, losing all their data.

This is certainly an undesirable scenario, and it is best to increase the forms authentication time out to a longer value than the session timeout so that users dont need to login repeatedly. But if its some secure application, like a banking web app, then forms authentication has to be a low value, and even in such a case the forms auth value should be higher than the session timeout value.