Suppose I use something like this in web.config
<authentication mode="Forms">
<forms
loginUrl ="~/HomeLogin.aspx"
cookieless= "AutoDetect"
slidingExpiration="true"
timeout="10"
protection ="All"
/>
</authentication>
If slideExpiration is set to true (the default), each time the FormsAuthenticationModule authenticates the user, it updates the ticket expiration date. If set to false, the expiration is not updated in each request, which leads to the fact that the ticket expires exactly some time after the ticket was first created.
Note:
The validity period stored in the authentication ticket is an absolute date and time value, as of August 2, 2008, 11:34 a.m. In addition, the date and time refer to the local time of the web server. This design decision may have some interesting side effects in the summer (DST), when the clock in the USA moves forward one hour (provided that the web server is located in the locale where the daylight saving time is observed). Think about what will happen on the ASP.NET website with a 30-minute expiration time around the DST start time (which is at 2:00 AM). Imagine that a visitor subscribes to the site on March 11, 2008 at 1:55 a.m. This will create a forms validation ticket that expires on March 11, 2008 at 2:25 am (30 minutes in the future). However, as soon as 2:00 AM rolls, the clock jumps until 3:00 in the morning due to DST.When a user loads a new page six minutes after login (at 3:01 a.m.), FormsAuthenticationModule notes that the ticket has expired and redirects the user to the login page.
, . - - . .