Sliding expiration sounds pretty simple right? From MSDN (emphasis mine):
“Sliding expiration resets the active authentication time for a cookie to expire upon each request during a single session.”
Great! So if I want to synchronise the authentication timeout with the session timeout, that should be a simple matter of setting the forms authentication expiration and session timeout to the same value, and enabling sliding expiration.
This would be fantastic if MSDN wasn’t a deceptive, dishonest fiend*! From a different place on the same MSDN page (last bit of emphasis mine):
“If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision.”
Raj Kaimal has a good example of the effect of this, and it is explained in a bit more detail here. This is a real pain if you want the user to login again after their session expires, and so you would like the session and authentication ticket to expire after the same period of inactivity.
The solution in this case is to manually refresh the forms authentication cookie on each request (or set the expiry to double the session timeout time), and ensure the authentication cookie is cleared and the user is forced to the login page on Session_Start.
* I still love you MSDN, despite your propensity for providing misleading information and your clumsy interface :)