Why set forms authentication timeout longer than session timeout

asp.netforms-authenticationsession

I think I understand the difference between ASP.NET's "session" and "forms authentication". Session is basically used for storing info specific to that user's session (maybe the state of a search filter), and the forms authentication is used to remember that they should have access to certain things.

My question is, why is it ever desirable to have the forms authentication timeout be longer than the session timeout? In fact, by default, web.config sets forms authentication's timeout to be much longer.

Here are the 2 scenarios I see:

Session times out before forms auth does. User loses things like search filters and although they can still see secured pages, things may look different and various things may reset. In addition, the developer has to worry about Session becoming null every time they use it.
Forms auth times out before session does. User has to re-enter username and password, but they get back to the page they were on and with the session info intact (unless that has also timed out). Developer only has to worry about Session being null in one place – on login – and can initialize it there if necessary.

Why would scenario 1) ever be more desirable? Am I missing something?

Best Answer

The thing is Session timeout is a more critical setting than the other. Setting authentication timeout to a very long period will not affect the web application in the means of server resources. But if you set Session timeout to a long period this could cause memory problems under high stakes.

You are right about your statement. As a developer I would prefer 2 over 1. However there is an easy way to handle session expiration. Check out this SO question. One of the answers has a good solution to session expiration.

protected void Session_Start(Object sender, EventArgs e)
{
    if (User.Identity.IsAuthenticated)
    {
        FormsAuthentication.SignOut();                         
        Response.Redirect("~/SessionEnd.aspx");
    }
}

This way you can handle expired Session's in one place.

Related Solutions

Asp.net cookies, authentication and session timeouts

Avoid using session as much as you can, if you can get away without seesion it makes multi-server deployments qutie a bit easier. Probably, Name and email are easy candidates for cookies. It's easy to fake a cookie, so userID may not be a good idea depending on your security needs.

The forms authentication cookies are encrypted and you can add extra data to those cookies (See details below). It's probably hackable but not nearly as easily as a simple cookie.

Here is the code I have used in the past slightly modified to remove some project specific details. Call this in the LoggedIn event of the login control.

void AddUserIDToAuthCookie(string userID)  
{  
  //There is no way to directly set the userdata portion of a FormAuthenticationTicket  
  //without re-writing the login portion of the Login control  
  //  
  //I find it easier to pull the cookie that the Login control inserted out  
  //and create a new cookie with the userdata set  

  HttpCookie authCookie = Response.Cookies[AUTH_COOKIE];
  if(authCookie == null)
  {
    return;
  }

  Response.Cookies.Remove(AUTH_COOKIE);

  FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(authCookie.Value);
  var newTicket =
    new FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration,
                                  oldTicket.IsPersistent, userID, oldTicket.CookiePath);

  authCookie.Value = FormsAuthentication.Encrypt(newTicket);

  Response.Cookies.Add(authCookie);
}

FYI, I copied this from an old project and edited it here to remove some project specific bits, so it may not compile, but it'll be very close.

To get the ID in your webpage...

FormsAuthenticationTicket ticket = ((FormsIdentity) Page.User.Identity).Ticket;
string id = ticket.UserData;

I used this mechanism to store an id that was not part of the aspnetdb user data. If all your identity data is handled by the aspnetdb, you may only need to access the Page.User.Identity object.

R – Detecting forms authentication timeout in login page

Forms authentication will automatically append a URL parameter 'ReturnURL', indicating what page (if any) triggered the redirection to the login page. Most websites have a 'Default.aspx' or 'index.html' etc as the default page. You can check the ReturnURL to see if it contains the default page, or some other page in your application.

EXAMPLE:

string refererURL;
if (page.Request.QueryString["ReturnURL"] != null)
{
    refererURL = page.Request.QueryString["ReturnURL"].ToString();
}

//Check to see if user was redirected because of Timeout or initial login
//Where "Default.aspx" is the default page for your application
if (refererURL != "" && refererURL != (ResolveUrl("~") + "Default.aspx"))
{
    //Show HTML etc showing session timeout message 
}
else // User redirected here to to initial login
{
    //Show HTML showing initial login HTML message etc
}

Best Answer

Related Solutions

Asp.net cookies, authentication and session timeouts

R – Detecting forms authentication timeout in login page

Related Topic