Saturday, March 31, 2012

Hunting asp.net Authentication and Session Ghosts

Asp.net handles the features of user authentication and user session in two different ways that sometimes may produce ghosts (bugs difficult to find) in our web applications.

The default forms authentication time is 20 mins. Session timeout is extended (to another 20 mins) for every request made to the server.
The default session time is 30 mins. When sliding expiration is true (that is the default), authentication timeout is extended for every request made to the server only after the first half of the total authentication time. The extension time is another 30 mins.