DoughBoy

I've done some research on the topic, but everywhere I look, I run into dead ends... It's time to post the question.....

What I would like to do is.... Change the session timeout to a low number, about 5 minutes. And instead maintain a user's sesison with cookies. When a user logs in, a cookie is created and the life of it would be a large number, about 5 hours. Every action the user does, the cookie would show the server proof of it's validation and continue the user's action also updating it's life to another 5 hours from that moment. Obviously, after the 5 hours, the user would need to log back in, but thats another story....

Does anyone know if this is possible? Also, can anyone help me in finding the correct path to achieving this?

Thanks very much to everyone who helps.

DoughBoy

After further investigation with this topic I have found....

within the web.config file, setting attributes within the authentication/forms tag...
slidingExpiration="true"
timeout="300"

This would do what I wanted... The timeout would be 5 hours, and the slidingExpiration would restart the timeout based on server post backs. AND this was all done without programming cookies.

It seems to me that the session would stay open until either the window was closed, or no activity occurred for the 300 minutes.

Am I correct to assume this? I do not allow the users to enable "remember me" and have forms authentication, so everything would be checked against the web.config file. Seems like I got going what I wanted.... Correct?

Please hit me back any comments and let me know if I'm doing something or thinking something wrong.

Thanks!

MKoslof

Overall, your assumptions appear to be correct. If the user does not log out or a call to FormsAuthentication.SignOut() is not invoked, they will remain logged in until the expiration properties are hit.

But on that note, you are going to find some nuances here. Depending on how you are doing your Forms Authentication (membership API, loginview controls, etc.) you might need to perform the FormsAuthentication.SignOut() invoke and Session.RemoveAll()/Session.Abandon() to clear all variables as well.