Improvement #2 - Increased session timeout

Since writing this post, we have both switch away from SimpleAuthentication and made it possible to disable session timeout completely.

This is the second post in the series 10 improvements in 10 days. Yesterday we introduced a new feature named HTTP method on URLs. Today, we introduce an improvement which may not have required as much code, but on the other hand have been requested by a lot of you: Increased session timeout (to 60 minutes).

We are currently using a combination of ASP.NET Forms Authentication and the open source SimpleAuthentication library for authenticating against social providers. We may want to switch to ASP.NET Identity, but for now forms authentication is the framework of choice. Forms authentication defaults to a session timeout of 20 minutes, meaning that you will automatically be logged out, if you're inactive for 20 minutes. As of today, the timeout has been increased to 60 minutes.

Some of you asked us to remove session timeout completely. While we see some benefits of doing so, removing session timeout also introduces security issues. Your error logs are a delicate thing and you dont want people outside your organization getting access to your logs. To learn more about why ELMAH logs should be kept a secret, check out Troy Hunts awesome blog post: ASP.NET session hijacking with Google and ELMAH.

elmah.io: Error logging and Uptime Monitoring for your web apps

This blog post is brought to you by elmah.io. elmah.io is error logging, uptime monitoring, deployment tracking, and service heartbeats for your .NET and JavaScript applications. Stop relying on your users to notify you when something is wrong or dig through hundreds of megabytes of log files spread across servers. With elmah.io, we store all of your log messages, notify you through popular channels like email, Slack, and Microsoft Teams, and help you fix errors fast.

See how we can help you monitor your website for crashes Monitor your website