FormsAuthentication.SetAuthCookie(myId, false) .keeps timing out, why?

[mb22]

Using forms authentication, i have this

FormsAuthentication.RedirectFromLoginPage(myId, false);

I have also set the time out in IIS to 4 hours !!! 14400 seconds.

However .. sometimes after about an hour or even half-hour my users get timed out ... or returned to the login page.

Could it be that the temporary "cookiesless" session variable is "disappearing" .. as IIS has been known in the past to have a bad record with session variables? Has anyone run into this problem?

Is it then better to use the "TRUE" option instead .. so that the cookie is saved physically on the clients machine .. in which case the browser will have to read it each time from the clients machine and attach it to the response.

FormsAuthentication.RedirectFromLoginPage(myId, true);

 

[dragonwell]

Are you talking about the setting in IIS that controls Session timeout(default 20 min.)? That doesn't affect the expiration of the authentication ticket used by FormsAuthentication.

In your web.config file, you have somethign like this

<authentication mode="Forms">
	<forms loginUrl="Login.aspx" timeout="30"></forms>
</authentication>

will cause the authentication ticket cookie to expire in 30 minutes.

If you want persistent logins (never expire until user deltes their cookies), just use the "True" option as you are thinking.

Greetings,
Dragonwell

 

[mb22]

you raise an interesting point ... yes i was talking about IIS timeout setting. ... in my web.config i have NO setting for the timeout
<authentication mode="Forms">
<forms loginUrl="Login.aspx" /></forms>
</authentication>

however in my sessionState element .. i have the timeout set to 180 minutes.

<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false"
timeout="180"
/>
but it still times out and about half hour or so.

are you suggesting i should set the timeout ALSO IN THE AUTHENTICATION section with the FORMS element as you have it? Is the default timeout 30mins if I leave it out?

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="180" /></forms>
</authentication>

the "TRUE" option did not quite work by the way and I do'n think i want to do that!

 

[dragonwell]

I think you are confusing Session and FormsAuthentication. They are separate and work independantly. They both use cookies (well, session can be cookieless) but they are two totally unrelated cookies.

The default timeout for the Forms cookie is 20 minutes, AFAIK - 30 minutes as just an example of how you can set the timeout.

Forget about Session for now. It is recommended to just leave it turned OFF unless you really need it.


Greetings,
Dragonwell

 

[mb22]

thanks ... i did not realize the 2 timeouts were independent of each other. I thought <sessionState> timeout was the timeout used for all situations ... but it looks like I have to set the FormsAuthentication timeout separately if I need that to be different.

thanks anyway .. that appears to have solved my problem. I was almost tempted to explore setting <sessionState> mode="sqlServer" .... but for now I will leave it as "InProc"

thanks