Timeouts vs ExpireTimeSpan UseCookieAuthentication

Question

Timeouts vs ExpireTimeSpan UseCookieAuthentication

Navigation

#1 by (3 votes)

0

I have found an MVC application at work with the following properties and there is something that smells bad to me. I do not finish understanding the timeouts of authentication , sessionState and ExpireTimeSpan . Is it necessary to have all three? What differences are there between each one? I have searched for some information but I can not distinguish its uses.

<authentication mode="Forms">
      <forms loginUrl="~/Auth/SignOn.aspx" timeout="40" slidingExpiration="true" />
    </authentication>

<sessionState timeout="30" />

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ApplicationCookie",
                LoginPath = new PathString("/default.aspx"),
                ExpireTimeSpan = 15
            });

c# asp.net asp.net-core asp.net-mvc

asked by user2742460 29.11.2017 в 18:52

source

1 answer

Remove HTML5 DIV item content jQuery - show () hide ()

score 3 · Answer 1

The Form authentication timeout establishes the number of minutes in minutes that the authentication cookie is set as valid, which means that after certain minutes, the cookie will expire and the user will no longer be authenticated; and you will be redirected to the login page automatically. The value slidingExpiration = true basically says that after each request made, the timer is reset and, as long as the user makes a request within the timeout value, it will continue to be authenticated. If slidingExpiration = false is set, the authentication cookie will expire after a certain number of minutes, regardless of whether the user makes a request within the timeout value or not.

The SessionState timeout sets the amount of time that a session state provider should store the data in memory (or the backup store being used, SQL Server, OutOfProc, etc.) for a particular session. For example, if you place an object in Session using the value in your example, this information will be deleted after 30 minutes. The user can still be authenticated, but the data in the session may not be present. The SessionTimeout value is always reset after each request.

ExpireTimeSpan is the option that allows you to establish for how long the cookie is valid. If SlidingExpiration is set to true then, the cookie will be reissued on any request halfway through ExpireTimeSpan.

Sources: link link