asp.net cookies, authentication and session timeouts

Question

I have an asp.net website that uses forms authentication. There are a few things I keep in sessions like username, userID, email, etc.

I allow the user to stay logge

Answer 1

Technically due to asp.net session timeout your user should not be logged out. This should/is controlled by the forms authentication cookie.

All the essential information related to user authentication should be kept in the forms authentication ticket's USERDATA property. This value should not be kept in session as session.

Only keep those value in session which is recreatable.

So, when you create forms authetication cookie you can pass all the essential information as part of the ticket.

--

The quick thing you can do is to keep the timeout of both session and forms authentication same. This will be a good practice to do.

The session timeout is automatically extended with each request to the site.

Whereas a Forms authentication extends its time only after 50% of the time has elapsed.

Here's a detailed info on this: Forms Authentication FAQ

The simplest thing to do is to extend the Forms authentication time in a custom HttpModule or base page, what ever your design is.

In this way your timeout will always be in sync, though there may be some slight gap.