1

So I'm using a AJAX to present an exam simulator for a client, where each mock exam is about 2 hours long. I am realizing that I do not know as much about sessions and its relation to forms authentication as I should.

  • Question: During the course of the exam, AJAX will access code behind, triggering the Page_Load event. As such, does this mean that both the sessionState timeout value, and the Forms Authentication timeout value will be reset?
Improve this question

2 Answers 2

Reset to default
1

Each time a request is sent to the application and the current session is still valid the session timeout will be renewed.

Forms Authentication can work in two ways. You can keep a user logged in for a fixed amount of time or use a sliding expiration. For example:

<authentication mode="Forms">
    <forms defaultUrl="~/Default.aspx"
        loginUrl="~/Login.aspx"
        slidingExpiration="false"
        timeout="120" />
</authentication>

The above sets the forms authentication timeout to 120 minutes but also disables the sliding expiration slidingExpiration="false". This will kick a user out after two hours have expired.

FormsAuthentication.SlidingExpiration Property (MSDN Library)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks! I've verified this with some tests, but am never quite sure about session timeout's behavior.
@user303644 - that's quite common :). Just as a last note, it's always good to ensure your session timeout is a tad longer than your Forms Authentication ticket expiry. That makes sure people get booted off before the session expires and you don't have to worry about null session values: stackoverflow.com/questions/4605161#4605218. Oh feel free to upvote me and mark as correct if this answer helped :)
Great point- I set the session slightly longer than the authentication ticket. thx again
0

Though it may depend on the server code managing your sessions, the general answer is "Yes". AJAX requests (XmlHttpRequest) will pass along browser cookies, allowing the server to associate the request with a session and consequently re-setting the timer.

If you are managing your sessions through URL instead of cookies, then you will need to ensure that your AJAX requests conform to the URL needs and pass the session_id along with the request.

Improve this answer

2 Comments

I am using InProc for sessionState, and have not changed the manner in which forms authentication functions (slidingExpiration is true). I did a small test, setting Forms Authentication timeout to 3, and sessionState timeout to 2, and it looks like everything was adhered to properly (timed out when it was supposed to, persisted when it was supposed to). But I am never quite sure what to rely on when working with invisible timeouts! I'm going to monitor server memory usage this evening to see what type of effect this has. Thanks-
@user303644 Glad to help. You should know that 'thanks' on Stack Overflow are nice to hear as words, but better expressed by upvotes and/or accepted answers :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.