Forms Authentication Timeout vs Session Timeout
- To be on the safe side: TimeOut(Session) <= TimeOut(FormsAuthentication) * 2
- If you want to show page other than specified in loginUrl attribute after authentication timeout you need to handle this manually as ASP.NET does not provide a way of doing it.
To achieve #2 you can manually check the cookie and its AuthenticationTicket for expiration and redirect to your custom page if they have expired.
You can do in it in one of the events: AcquireRequestState, AuthenticateRequest.
Sample code in the event can look like:
// Retrieve AuthenticationCookievar cookie = Request.Cookies[FormsAuthentication.FormsCookieName];if (cookie == null) return;FormsAuthenticationTicket ticket = null;try { ticket = FormsAuthentication.Decrypt(cookie.Value);} catch (Exception decryptError) { // Handle properly}if (ticket == null) return; // Not authorisedif (ticket.Expiration > DateTime.Now) { Response.Redirect("SessionExpiredPage.aspx"); // Or do other stuff here}
For sites that have a session dependency, you can simply sign out of a stale authentication with the session start event in the global.asax:
void Session_Start(object sender, EventArgs e){ if (HttpContext.Current.Request.IsAuthenticated) { //old authentication, kill it FormsAuthentication.SignOut(); //or use Response.Redirect to go to a different page FormsAuthentication.RedirectToLoginPage("Session=Expired"); HttpContext.Current.Response.End(); }}This makes it so that new session = new authentication, period.