How to configure session and forms timeout in Kentico

This article describes how to change the web.config file and the Logon form web part to log out users automatically after configured period and a difference between session and forms timeout. 
The Session.Timeout property enables you to specify the amount of time in minutes before the web server assumes that the user has left and discards the session (the maximum value is 525,600 (1 year)) whereas the timeout in the forms element in the web.config file enables you to specify the amount of time in minutes before the authentication cookie expires. The default value is 30.

Example of session configuration in API:

Session.Timeout = 60000;

Example of forms configuration in the
web.config file:

<forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />

Session state timeout means that your session will expire in x minutes. It doesn't mean that your're not authenticated anymore.

Forms timeout means that after x minutes, you'll be prompted to log in again (not authenticated anymore).

It's not a problem if your session timeout lasts longer that your forms timeout because once you'll log in again you will retrieve the last session if it has not expired.

A real word example: Lets configure Kentico to log out users after 10 minutes automatically.

Cookie's expiration is driven by ASP.NET, but you could set the timeout attribute of the forms element in the web.config file to some high value:

<forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="6000" />

and then use the ChangeCookieExpiration method to decrease this value if necessary:

CookieHelper.ChangeCookieExpiration(FormsAuthentication.FormsCookieName, DateTime.Now.AddMinutes(10), true);

It should be sufficient to change the Login1_LoggedIn method in the file: ~\CMSWebParts\Membership\Logon\LogonForm.ascx.cs.

See also:

Applies to: Kentico CMS 6.0
Share this article on   LinkedIn