Apr 04, 2013
Yes, and ideally the both timeout should be kept in sync. The best way to do this is using HttpModule or using filters in MVC. Now, why is this necessary..
Forms authentication timeout indicates, how long a user is recognised and stay authenticated in case of any lack of inactivity and similarly session timeout indicates how long to preseve users session in case of any inactivity.
Now image this case... (simplified for clarification purpose).
You have a ecommerce application where the items are stored in a session, when the users "say" does an "Add to cart operation". Now how long you want this value available in session is determined by your session timeout.
But say your session timeout is 10 minutes and your forms authentication timeout is 30 minutes, so in case of any lack of activity, the user may lose what he has added to the cart after 20 minutes of inactivity wheres the users is still authenticated for another 20 minutes after session timeout....In this case after 10 minutes of inactivity the users session is lost while he still being logged in successfully. To avoid issues like this and there will be many more other cases, its better to keep the session and forms auth. timeout in sync.
Keeping both in sync avoid inconsistency in user experience. (There could be other use cases where session timeout could be less than auth timeout, in that case the application should handle all the edge cases)..
Hope I am able to present the example.. In case of any further clarification do revert back.