Improvement #2 - Increased session timeout

Written by Thomas Ardal

,

Since writing this post, we have both switch away from SimpleAuthentication and made it possible to disable session timeout completely.

This is the second post in the series 10 improvements in 10 days. Yesterday we introduced a new feature named HTTP method on URLs. Today, we introduce an improvement which may not have required as much code, but on the other hand have been requested by a lot of you: Increased session timeout (to 60 minutes).

We are currently using a combination of ASP.NET Forms Authentication and the open source SimpleAuthentication library for authenticating against social providers. We may want to switch to ASP.NET Identity, but for now forms authentication is the framework of choice. Forms authentication defaults to a session timeout of 20 minutes, meaning that you will automatically be logged out, if you're inactive for 20 minutes. As of today, the timeout has been increased to 60 minutes.

Some of you asked us to remove session timeout completely. While we see some benefits of doing so, removing session timeout also introduces security issues. Your error logs are a delicate thing and you dont want people outside your organization getting access to your logs. To learn more about why ELMAH logs should be kept a secret, check out Troy Hunts awesome blog post: ASP.NET session hijacking with Google and ELMAH.