Try our conversational search powered by Generative AI!

User Login Timeout



We have an Admin login to the CMS and the timeout for this is set in the Webconfig:

But we also have a User login where registered members to the site can login and view pages that we restrict using Visitor Groups (they dont see the CMS - just restricted pages). Can somebody tell me where we set the session timeout length for this type of login please?

Many thanks


Oct 27, 2014 11:54


I might be misunderstanding your question, but the setting should be applied for any users using the current membership provider, regardless of admin or not. It's the timeout value for the authentication cookie set by ASP.NET.



Oct 27, 2014 12:35


Thanks for your reply - if I change this timeout to 1 minute and login to the Admin CMS and wait for 1 minute I get a popup box asking me to log back in - as I expected it to do.

If I login to the Members area in the front end - and wait for 1 minute I am still logged in.

Where is the authentication cookie set? or is this the same line that I pasted in above?


Oct 27, 2014 12:39

What would happen if I put this line of code into the webconfig?

<sessionState timeout="60"></sessionState>

Oct 27, 2014 12:41


If I leave the timeout to 4320 as above then the CMS login works fine but the Members area logs the user out after 40 mins

Hope that helps a bit,


Oct 27, 2014 12:59

Then I guess the problem is in your login page. Your custom login page should get the timeout information (should be available in Membership, IIRC), to set the cookie timeout.



Oct 27, 2014 13:08

The code from the login page in our Commerce Sample site, you get the idea:

        private static void CreateAuthenticationCookie(string username, string domain, bool remember)
            // this line is needed for cookieless authentication
            FormsAuthentication.SetAuthCookie(username, remember);
            var expirationDate = FormsAuthentication.GetAuthCookie(username, remember).Expires;

            // the code below does not work for cookieless authentication

            // we need to handle ticket ourselves since we need to save session paremeters as well
            var ticket = new FormsAuthenticationTicket(2,
                /*expirationDate, - doesn't work when it's DateTime.MinValue. The date needs to be convertible to FileTime, i.e. >=01/01/1601 */
                    expirationDate == DateTime.MinValue ? DateTime.Now.Add(FormsAuthentication.Timeout) : expirationDate,

            // Encrypt the ticket.
            string encTicket = FormsAuthentication.Encrypt(ticket);

            // remove the cookie, if one already exists with the same cookie name
            if (HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName] != null)

            var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
            cookie.HttpOnly = true;

            cookie.Path = FormsAuthentication.FormsCookiePath;
            cookie.Secure = FormsAuthentication.RequireSSL;
            if (FormsAuthentication.CookieDomain != null)
                cookie.Domain = FormsAuthentication.CookieDomain;

            if (ticket.IsPersistent)
                cookie.Expires = ticket.Expiration;

            // Create the cookie.

Oct 28, 2014 3:13
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.