Specifying the Length of Time for Idle Cookie Timeout

Overview

For security reasons, a site administrator may want to specify the length of time before a user's login session expires. This article will demonstrate how to configure a policy to require login authentication automatically after a specified timeframe.

 

 

Prerequisites

  • Read/Write access to the site's root folder to make changes to the web.config file.
  • Access to a SuperUser account.

 


 

Solution

The login session timeout is mainly dependent on the ".DOTNETNUKE" cookie which serves as a container to the forms authentication ticket when the user logs in.

In your web.config file, there is an "authentication mode" tag where you can specify several attributes to control how it behaves. After a fresh installation of DNN 9.x.x, you would see this tag as something like below:

<authentication mode="Forms">
<forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" />
</authentication>
  • The timeout attribute is in "minutes," and you can change it to your preferred value. We would also want to introduce the "slidingExpiration" attribute to the forms authentication. This attribute would have a value of either "true" or "false".

 

The "slidingExpiration" attribute dictates whether the "timeout" value would be reset when the site is reaccessed. For example, you set the "timeout" attribute to "60," which is equivalent to one hour. When the site is accessed after more than half of the "timeout" value, then the timeout timer would be reset. Otherwise, if the site is reaccessed before half of the "timeout" value, then the timeout value will not be reset.

  • E.g., say the user has reaccessed the site after 30 minutes. In this scenario, the "timeout" attribute will be reset. On the other hand, when the site is reaccessed in the next 29 minutes (less than half of 60), then the "timeout" attribute counter continues and is not reset.

 

To put this into action, we then modify the forms authentication to add the "slidingExpiration" attribute as below. Note that in this example, the "timeout" attribute has been set to "5" minutes:

<authentication mode="Forms">
<forms name=".DOTNETNUKE" protection="All" timeout="5" cookieless="UseCookies" slidingExpiration="false" />
</authentication>


What the above authentication mode tag means is that the ".DOTNETNUKE" cookie will expire after 5 minutes, and it will not be renewed regardless when the site is reaccessed in the next 5 minutes. You can also set the "slidingExpiration" attribute to "true" if you want the "timeout" attribute to reset when the site is reaccessed. However, the user would stay logged in so long as the user does not close the browser tab where the site is being accessed.

  • With the "slidingExpiration" set to "false", it would effectively log the user out after the "timeout" value has expired regardless when the user has reaccessed the site within the timeout period. The user would need to re-login again.

 

As always, please do not forget to run a backup of your web.config file just in case something unexpected happens.

 

 

Testing

With the "slidingExpiration" attribute set to false, and the "timeout" set to a shorter time:

  • Have the user log in to the site; see if the login session auto-expires (regardless) after the specified "timeout" attribute by refreshing the page after the defined time.

 

Back to top

Comments

0 comments

Article is closed for comments.