interview

home / developersection / interviews / how can you configure forms authentication to expire after a certain time or use sliding expiration?

Ask Question

How can you configure Forms Authentication to expire after a certain time or use sliding expiration?

ICSM Computer 228 02-Jun-2025
c# c#  authentication 
Updated on 05-Jun-2025
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

02-Jun-2025

You can configure Forms Authentication in ASP.NET to expire after a certain time and optionally use sliding expiration by setting attributes in the <forms> element of your web.config.

Configuration in web.config

<system.web>
  <authentication mode="Forms">
    <forms
      name=".AUTH"
      timeout="30"
      slidingExpiration="true"
      requireSSL="true"
      protection="All"
      path="/"
      cookieless="UseCookies" />
  </authentication>
</system.web>

Explanation of Key Attributes

Attribute Description
timeout="30" The duration (in minutes) the authentication ticket is valid. After this period, the cookie becomes invalid.
slidingExpiration="true" Extends the expiration time with each request made within the timeout window.
slidingExpiration="false" The ticket will expire exactly timeout minutes after creation, no matter how many requests are made.
requireSSL="true" Ensures the cookie is only sent over HTTPS.
protection="All" Ensures the ticket is both encrypted and signed.
cookieless="UseCookies" Ensures the authentication token is stored in cookies and not in the URL.

Example Behavior

  • With timeout="30" and slidingExpiration="true":
    • If the user is active, the expiration is pushed 30 minutes ahead with each request.
    • If the user is idle for 30+ minutes, they’ll need to log in again.
  • With slidingExpiration="false":
    • The ticket always expires 30 minutes after issuance regardless of activity.

Best Practices

  • Use slidingExpiration="true" to enhance user experience for active users.
  • Use shorter timeouts (e.g., 10–30 minutes) for sensitive applications.
  • Consider renewing the ticket manually if you implement custom authentication logic.
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy