you can set the timeout in the <sessionState<formselement respectively.
But it sounds very much like your appdomain recycles at some point - usually
session is sliding expiration.
Are you by any chance doing some file operations in your web app, or other
stuff like:
Machine.Config, Web.Config or Global.asax are modified
The bin directory or its contents is modified
The number of re-compilations (aspx, ascx or asax) exceeds the limit specified
by the <compilation
numRecompilesBeforeAppRestart=/setting in machine.config or web.config
(by default this is set to 15)
The physical path of the virtual directory is modified
The CAS policy is modified
The Web service is restarted
Application Sub-Directories are deleted
-----
Dominick Baier (
http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (
http://www.microsoft.com/mspress/books/9989.asp)
Hello all,
I am having a significant problem with the security in my app. I am
experiencing a problem, where the session apparently times out, and
all my session data is reset just as if a new session was started, ...
but the FormsAuthentication ticket doesn't expire, and so i wind up
with a user who is no longer actually logged in being able to access
sections of the site which are locked down using the "LOCATIONS" node
of the web.config file and application roles.
How can i make sure my session and authentication ticket both expire
together?
Thanks in advance,
- Arthur Dent.
