Doug Reilly's Weblog

Well that would definitly explains my problem.

The forms authentication timeout is completely independent of the Session timeout, so your app should not assume they're related.

Forms authentication uses a cookie, so if you try the following:
- Login using forms authentication
- Modify Web.Config

then the application and therefore the Session will be restarted, but the authentication cookie will still be valid

Yes, they are completely indebendent, but unfortunately, I had presumed they were related, or failing that, had common defaults. In any event, since I have made sure that they were in synch...

Keeping them in sync is no good: at best you can keep them nearly in sync and hope your app domain doesn't get restarted on the server. You'll just reduce the frequency of problems. The right solution is to accept they're independent and design your app accordingly - e.g. if the request is authenticated but the data is not in Session, go and get the data and put it in Session. Or redirect to a home page or something

I found out (the hard way) that all everyone says here is true ... Anyway, I've also found out how to address the problem without having to check for my session variables in every page. Just add this in your global.asax.

'Uses the OnAcquireRequestState event so you have session vars accesible
Sub Application_OnAcquireRequestState(sender as Object, Details as EventArgs)
If Session("MyVariable") = "" Then
'Signout
FormsAuthentication.SignOut()
' Tries to Reload the page and then redirects to the Login page
Server.Transfer(Request.Url.AbsolutePath.ToString, True)
End If
End Sub

However, I have another problem...
I can't find out how to keep the page state before the timeout happened (For example, I can be in the middle of filling out a very big form). I have no problem if I use HTML Controls that runat Client, beacuse my login page takes care of them, but I can´t do it if I have Web Server Controls ... can this be done at all?

Hope my 2 cents help.

If Session("MyVariable") = "" Then
'Signout
FormsAuthentication.SignOut()
' Tries to Reload the page and then redirects to the Login page
Server.Transfer(Request.Url.AbsolutePath.ToString, True)
End If
End Sub

instead of the above code..
cant we make both timeouts simialar.....

Okay,
but what about this:

My web config has got the following settings:
<sessionState mode="InProc" cookieless="false" timeout="15" />

My IIS is (automatically) set to
enable session state (on)
timeout = 10 minutes

Which one will be applied? the one from IIS or the one from web.config?


(lets forget about the machine.config)

Armando Canez: Your solution was a HUGE help. Thank you.

Cool! Glad it helped.

WHEN A SIGNOUT BUTTON IS PRESSED WHAT SHOULD I DO SUCH THAT WHEN THE BACK BUTTON IS CLICKED I DO NOT GET THE OLD INFO THANK U

I had problems with the sliding expiration of forms authentication. Both forms and session were set to 30 minutes. Unfortunately, the ticket is only updated with the next expiration date if at least half of the timeout period has passed. i.e. - user signs in. user makes a request after 10 minutes (ticket not updated). user makes a request after 25 minutes - forms authentication prompts user to login. This is fairly odd behavior since they made the second request within 30 minutes of the first request. However, since it was 35 minutes after the initial cookie was issued, there authentication had expired.

i am having problem setting the session timeout property in my asp page.The syntax i am using is 'Session.Timeout=nMinute' but it is not working. Can any one help me out

Hi,  I have a situation where I have an application variable and am setting/updating that application variable(a collection stored in the application) in each session.  However, one user is not able to see what the other user set.  Any idea of why this might not be working?  Your help would be greatly appreciated.

Thanks!