We have an Admin login to the CMS and the timeout for this is set in the Webconfig:
But we also have a User login where registered members to the site can login and view pages that we restrict using Visitor Groups (they dont see the CMS - just restricted pages). Can somebody tell me where we set the session timeout length for this type of login please?
I might be misunderstanding your question, but the setting should be applied for any users using the current membership provider, regardless of admin or not. It's the timeout value for the authentication cookie set by ASP.NET.
Thanks for your reply - if I change this timeout to 1 minute and login to the Admin CMS and wait for 1 minute I get a popup box asking me to log back in - as I expected it to do.
If I login to the Members area in the front end - and wait for 1 minute I am still logged in.
Where is the authentication cookie set? or is this the same line that I pasted in above?
What would happen if I put this line of code into the webconfig?
If I leave the timeout to 4320 as above then the CMS login works fine but the Members area logs the user out after 40 mins
Hope that helps a bit,
Then I guess the problem is in your login page. Your custom login page should get the timeout information (should be available in Membership, IIRC), to set the cookie timeout.
The code from the login page in our Commerce Sample site, you get the idea:
private static void CreateAuthenticationCookie(string username, string domain, bool remember)
// this line is needed for cookieless authentication
var expirationDate = FormsAuthentication.GetAuthCookie(username, remember).Expires;
// the code below does not work for cookieless authentication
// we need to handle ticket ourselves since we need to save session paremeters as well
var ticket = new FormsAuthenticationTicket(2,
/*expirationDate, - doesn't work when it's DateTime.MinValue. The date needs to be convertible to FileTime, i.e. >=01/01/1601 */
expirationDate == DateTime.MinValue ? DateTime.Now.Add(FormsAuthentication.Timeout) : expirationDate,
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// remove the cookie, if one already exists with the same cookie name
if (HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName] != null)
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.HttpOnly = true;
cookie.Path = FormsAuthentication.FormsCookiePath;
cookie.Secure = FormsAuthentication.RequireSSL;
if (FormsAuthentication.CookieDomain != null)
cookie.Domain = FormsAuthentication.CookieDomain;
cookie.Expires = ticket.Expiration;
// Create the cookie.