I’m slightly puzzled with what should log out a user.

At the moment I have a session timeout set to 20 minutes and I thought that once the session expires the user should be logged out.

I can add a code that will do that on a session_end.

I came across a form authentication timeout in a web.config. Currently it’s set to 48 hours.

I have changed the authentication timeout to 20 minutes and that’s doing the job.

So should a session time out log out the user or should this be done by a form authentication time out?

Thank you

Edit:

What I’m facing at the moment, is that session variables get set to 0, which is fine because the session has timed out. But I would have thought that the user will be logged out too.

Am I correct to say that authentication data is always stored in the cookies and that cookie will be cleared only once I hit the form authentication timeout?

Therefore what I’m facing is expected behaviour. User losses session but he’s still logged in because the authentication information is stored in the cookie.

In that case I can set session timeout to be exactly the same as the form authentication time out. Assumption here is that form authentication timeout gets refreshed when the user does anything on the website.

Another alternative is to add code into sesseion_end method where I will log the user out.

Edit 2:

Does an authentication timeout gets refreshed at the same time as a session time out?

Edit 3:

Came across this “Sliding expiration resets an active authentication cookie’s time to expiration upon each request during a single session.” which I believe is what I’m trying to achieve. If the session and the authentication timeout are the same than the authentication timeout will be reset each time a session timeout is reset and this should do the job. Any feedback is welcome…