"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
news:7ic12011kkin7m7cvnntpofffb9fuf7en7@4ax.com...
> On Mon, 2 Feb 2004 12:18:30 -0300, "Hernan de Lahitte"
> <hernan@lagash.com> wrote:
>
> >If your are experiencing timeout problems, it might be the big gap
between
> >the session timeout and the Forms cookie timeout renewal.
>
> Why should the gap cause this problem?
>
> >The latter, will
> >renew it's value when more than half the specified time has elapsed (5
hs).
> >If you have a session timeout of 2 hours, then the session will expire
long
> >before the cookie. So adjusting the forms timeout or the session timeout
> >value should solve this problem. However, I agree with Keith comments
about
> >the suggested timeout values. Remember the "Defense in depth" security
> >practice and despite you may have a VPN or plenty of processing
resources,
> >the majority of the attacks always comes from the inside.
>
> In a series of page requests after the user has logged in one of the
> suddenly fails and the login page is displayed. The timeframe is less
> than 10 minutes - a lot less than the timeout.
>
> Any suggestions?
>
> Regards
> Anders Lybecker
>
>
> >Regards,
> >
> >Hernan de Lahitte
> >Lagash Systems S.A.
> >http://www.lagash.com
> >
> >
> >
> >"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
> >news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com...
> >> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
> >> wrote:
> >>
> >> >First of all, 10 hours for session timeout is going to
> >> >crush your servers. That's an absolutely resource
> >> >intensive approach to session timeouts.
> >>
> >> I don't care, the we got plenty of resources. :-)
> >> The client is always right, and I have nothing to say in this matter.
> >>
> >> > In addition, it
> >> >also represents a security concern that someone could get
> >> >up from their session and have it remain active as much
> >> >as 10 hours later. I would think 2 hours each value
> >> >would be more than adaquate, but in reality 20 minutes is
> >> >a good approach for most sites. That means your session
> >> >is renewed for 10 hours after each click.
> >>
> >> Everything is running within as secure VPN network, so security is not
> >> that high a concern.
> >>
> >> >Even so, my gut instinct is that the problem you're
> >> >having is related to how you're setting the timeout.
> >> >First of all, know that the Administrator can control
> >> >session timeout settings. Second, please forward along
> >> >the part of your web.config and aspx files where you
> >> >programatically set the limits. A common mistake is to
> >> >use the server clock to set the session timeout client-
> >> >side. Clocks are never in perfect concert.
> >> >
> >> >What I really think problem is, is that your forms based
> >> >authentication ticket isn't being renewed. This is
> >> >caused by FormsAuthentication.SlidingExpiration being
> >> >false. Check to see at runtime if the value is false.
> >> >If so your expiration is not being reset each request.
> >> >
> >> >Here's a related link:
> >> >http://www.asp.net/Forums/ShowPost.aspx?
> >> >tabindex=1&PostID=90860
> >>
> >> Here is part of the web.config:
> >>
> >> <authentication mode="Forms">
> >> <forms loginUrl="Login.aspx" timeout="600"/>
> >> </authentication>
> >>
> >> And the single line of code that sets the authentication token from
> >> the Login.aspx file:
> >>
> >> FormsAuthentication.RedirectFromLoginPage(strUserName, False)
> >>
> >> Am I missing something?
> >>
> >> Thanks
> >> Anders Lybecker
> >>
> >>
> >> >>-----Original Message-----
> >> >>Hi,
> >> >>
> >> >>I'm having a problem with the forms-based
> >> >authentication. The user is
> >> >>getting timed out before long before the timeout period
> >> >has passed.
> >> >>The forms-based authentication timeout is set to 10
> >> >hours and session
> >> >>timeout to 2 hours.
> >> >>
> >> >>Has anyone experienced the same problems?
> >> >>
> >> >>I'm running framework 1.0.3705 on windows 2k server with
> >> >IIS 5
> >> >>
> >> >>Any help is appreciated.
> >> >>
> >> >>Regards
> >> >>Anders Lybecker
> >> >>
> >> >>.
> >> >>
> >>
> >
>

<hernan@lagash.com> wrote:

>If your are experiencing timeout problems, it might be the big gap between
>the session timeout and the Forms cookie timeout renewal.

>The latter, will
>renew it's value when more than half the specified time has elapsed (5 hs).
>If you have a session timeout of 2 hours, then the session will expire long
>before the cookie. So adjusting the forms timeout or the session timeout
>value should solve this problem. However, I agree with Keith comments about
>the suggested timeout values. Remember the "Defense in depth" security
>practice and despite you may have a VPN or plenty of processing resources,
>the majority of the attacks always comes from the inside.

>Regards,
>
>Hernan de Lahitte
>Lagash Systems S.A.
>http://www.lagash.com
>
>
>
>"Anders Lybecker" <anders@(SPAMFILTER)lybecker.com> wrote in message
>news:3oks10thgkqgssvig4nohicgog5vgnmn8s@4ax.com...
>> On Sat, 31 Jan 2004 20:51:45 -0800, "Keith" <keith@keithadler.com>
>> wrote:
>>
>> >First of all, 10 hours for session timeout is going to
>> >crush your servers. That's an absolutely resource
>> >intensive approach to session timeouts.
>>
>> I don't care, the we got plenty of resources. :-)
>> The client is always right, and I have nothing to say in this matter.
>>
>> > In addition, it
>> >also represents a security concern that someone could get
>> >up from their session and have it remain active as much
>> >as 10 hours later. I would think 2 hours each value
>> >would be more than adaquate, but in reality 20 minutes is
>> >a good approach for most sites. That means your session
>> >is renewed for 10 hours after each click.
>>
>> Everything is running within as secure VPN network, so security is not
>> that high a concern.
>>
>> >Even so, my gut instinct is that the problem you're
>> >having is related to how you're setting the timeout.
>> >First of all, know that the Administrator can control
>> >session timeout settings. Second, please forward along
>> >the part of your web.config and aspx files where you
>> >programatically set the limits. A common mistake is to
>> >use the server clock to set the session timeout client-
>> >side. Clocks are never in perfect concert.
>> >
>> >What I really think problem is, is that your forms based
>> >authentication ticket isn't being renewed. This is
>> >caused by FormsAuthentication.SlidingExpiration being
>> >false. Check to see at runtime if the value is false.
>> >If so your expiration is not being reset each request.
>> >
>> >Here's a related link:
>> >http://www.asp.net/Forums/ShowPost.aspx?
>> >tabindex=1&PostID=90860
>>
>> Here is part of the web.config:
>>
>> <authentication mode="Forms">
>> <forms loginUrl="Login.aspx" timeout="600"/>
>> </authentication>
>>
>> And the single line of code that sets the authentication token from
>> the Login.aspx file:
>>
>> FormsAuthentication.RedirectFromLoginPage(strUserName, False)
>>
>> Am I missing something?
>>
>> Thanks
>> Anders Lybecker
>>
>>
>> >>-----Original Message-----
>> >>Hi,
>> >>
>> >>I'm having a problem with the forms-based
>> >authentication. The user is
>> >>getting timed out before long before the timeout period
>> >has passed.
>> >>The forms-based authentication timeout is set to 10
>> >hours and session
>> >>timeout to 2 hours.
>> >>
>> >>Has anyone experienced the same problems?
>> >>
>> >>I'm running framework 1.0.3705 on windows 2k server with
>> >IIS 5
>> >>
>> >>Any help is appreciated.
>> >>
>> >>Regards
>> >>Anders Lybecker
>> >>
>> >>.
>> >>
>>
>