I think I understand the difference between ASP.NET’s “session” and “forms authentication”. Session is basically used for storing info specific to that user’s session (maybe the state of a search filter), and the forms authentication is used to remember that they should have access to certain things.
My question is, why is it ever desirable to have the forms authentication timeout be longer than the session timeout? In fact, by default, web.config sets forms authentication’s timeout to be much longer.
Here are the 2 scenarios I see:
- Session times out before forms auth does. User loses things like search filters and although they can still see secured pages, things may look different and various things may reset. In addition, the developer has to worry about Session becoming
nullevery time they use it. - Forms auth times out before session does. User has to re-enter username and password, but they get back to the page they were on and with the session info intact (unless that has also timed out). Developer only has to worry about Session being
nullin one place – on login – and can initialize it there if necessary.
Why would scenario 1) ever be more desirable? Am I missing something?
The thing is Session timeout is a more critical setting than the other. Setting authentication timeout to a very long period will not affect the web application in the means of server resources. But if you set Session timeout to a long period this could cause memory problems under high stakes.
You are right about your statement. As a developer I would prefer 2 over 1. However there is an easy way to handle session expiration. Check out this SO question. One of the answers has a good solution to session expiration.
This way you can handle expired Session’s in one place.