Session timeout vs Forms Authentication timeout
I have been using ASP.NET MVC 2, 3 for a couple years now and we are moving to MVC 4.
We're migrating to SimpleMembership and needed to make changes to the web.config.
However, suddenly I got utterly confused with the timeout values in web.config.
In addition to using SimpleMembership we also want to increase the session timeout from the standard 20 to 30 minutes, so I changed the following configuration setting.
<sessionState timeout="30" mode="InProc" />
But then a co-worker of mine suggested that we also need to change the following timeout value from 20 to 30.
<forms loginUrl="~/Login" timeout="20" />
Bogusław Dobrogost, Mar 27, 2013
Yes, and ideally the both timeout should be kept in sync. The best way to do this is using HttpModule or using filters in MVC. Now, why is this necessary..
Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity and similarly session timeout indicates how long to preseve users session in case of any inactivity.
Now image this case... (simplified for clarification purpose).
You have a ecommerce application where the items are stored in a session, when the users "say" does an "Add to cart operation". Now how long you want this value available in session is determined by your session timeout.
But say your session timeout is 10 minutes and your forms authentication timeout is 30 minutes, so in case of any lack of activity, the user may lose what he has added to the cart after 20 minutes of inactivity wheres the users is still authenticated for another 20 minutes after session timeout....In this case after 10 minutes of inactivity the users session is lost while he still being logged in successfully. To avoid issues like this and there will be many more other cases, its better to keep the session and forms auth. timeout in sync.
Keeping both in sync avoid inconsistency in user experience. (There could be other use cases where session timeout could be less than auth timeout, in that case the application should handle all the edge cases)..
Hope I am able to present the example.. In case of any further clarification do revert back.
Rajesh Pillai, Apr 04, 2013