When the SlidingExpiration is set to true, the time interval during which the authentication cookie is valid is reset to the expiration Timeout property value. This happens if the user browses after half of the timeout has expired.
For example, if you set an expiration of 30 minutes by using sliding expiration, a user can visit the site at 3:00 PM and receive a cookie that is set to expire at 3:30 PM. The expiration is only updated if the user visits the site after 3:10 PM. If the user visits the site at 3:09 PM, the cookie is not updated because half of the expiration time has not passed. If the user then waits 12 minutes, visiting the site at 3:21 PM, the cookie will be expired.
true if the sliding expiration is enabled; otherwise, false. The default is true.
When using forms authentication with slidingExpiration set to true (default), the cookie is updated only when more than half the timeout value has elapsed. As a result of this, you might be logged off sooner than you think.
Consider this: You have set the timeout to 30 minutes. You logon on at 3:00 pm; a FormsAuthenticationTicket is set to expire at 3:30 pm. The expiration of this ticket will not be extended for another 30 minutes until you make a request after 3:15 pm. So, if you made your last request at 3:15 pm, the ticket will still expire at 3:30 pm as more than half the timeout value has not elapsed (giving you a 15 minute window before you get logged out).
On the other had, if you had made a request at 3:16 pm, the expiration of the ticket is extended to 3:46 p.m.
From MSDN:
timeout : Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.
No comments :
Post a Comment