How to configure session and forms timeout in Kentico
This article describes how to change the web.config file and the Logon form web part to log out users automatically after configured period and a difference between session and forms timeout.
property enables you to specify the amount of time in minutes before the web server assumes that the user has left and discards the session (the maximum value is 525,600 (1 year)) whereas the timeout in the forms
element in the web.config file enables you to specify the amount of time in minutes before the authentication cookie expires. The default value is 30.
Example of session configuration in API:
Session.Timeout = 60000;
Example of forms configuration in the
<forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />
Session state timeout
means that your asp.net session will expire in x minutes. It doesn't mean that your're not authenticated anymore.
means that after x minutes, you'll be prompted to log in again (not authenticated anymore).
It's not a problem if your session timeout lasts longer that your forms timeout because once you'll log in again you will retrieve the last session if it has not expired.
A real word example: Lets configure Kentico to log out users after 10 minutes automatically.
Cookie's expiration is driven by ASP.NET, but you could set the timeout attribute of the forms element in the web.config file to some high value:
<forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="6000" />
and then use the ChangeCookieExpiration
method to decrease this value if necessary:
CookieHelper.ChangeCookieExpiration(FormsAuthentication.FormsCookieName, DateTime.Now.AddMinutes(10), true);
It should be sufficient to change the Login1_LoggedIn
method in the file: ~\CMSWebParts\Membership\Logon\LogonForm.ascx.cs
See also: http://devnet.kentico.com/docs/6_0/devguide/authentication.htm
Kentico CMS 6.0