I have an ASP.NET MVC Web project that uses non-persistent cookie (aka session cookie). The requirement is that a logged in session will time out either after 30 mins of inactivity or, users closes the web browser.
The project is in production, and some users reported that they don't need to login after days of usage. But they have to login at the beginning of using the project. The defect cannot be replicated on Testing Servers so far. Again, the defect don't happen for every user, and happens to some users after some usages.
Below is main code:
1) use cookie.Expires=DateTime.MinValue;
//create non-persistent cookie.
2) Use FormsAuthentication.Encrpt() method
to encrypt ticket
3) Use form element in web.config timeout attribute
to validate timeout
The code above explains the main logic.
Any idea?