Last post Nov 17, 2014 07:44 PM by rtyhhn54
Nov 17, 2014 05:36 PM|rtyhhn54|LINK
If I setup Forms Authentication with:
<forms loginUrl="/MyLogin/Index" timeout="2880"
and IIS has Idle Time Out set to 20
Will re-authentication be required after 20 minutes?
I do not have the Machine or Encryption key set. I do not use Session variables.
I was thinking that IIS encrypts the cookie probably with the Machine Key and
MAYBE a salt. So if IIS resets after 20 the cookie would be invalid?
If set my own Machine Key and Encryption key maybe the cookie would be good????
Nov 17, 2014 05:43 PM|Rion Williams|LINK
Don't quote me on this, but I believe that Forms Authentication is quite a bit different as it is generally handled at the browser-level and thus isn't going to be susceptible to an IIS Idle Timeout (e.g. if you are logged in and you experience an Idle
Timeout, you won't be required to reauthenticate). I'm not currently around an environment to test this theory out, but I believe that you should still be authenticated (you could try explicitly restarting your application pool while authenticated
to test this).
Nov 17, 2014 07:44 PM|rtyhhn54|LINK
You're incorrect I tested it. Unfortunately, yet another bad design feature in Forms Authentication. Not as bad as converting 401 and 403 to 302s but pretty awful . I knew this happened for Session Cookies, wasn't sure for the Forms cookie.
If you don't specify your own encryption keys, it probably uses the webserver machine key with a salt. Thus your authentication ticket timeout setting is pretty useless for a low volume site (like in the middle of the night).