Specify the Authentication Time-out for Forms Authentication (IIS 7)

  • Article

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

By default, the time-out value for Forms authentication is 30 minutes. You might consider changing the time-out value to a shorter period of time, to shorten the session lifetime and to reduce the chance of cookie replay attacks.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

Modules

  • FormsAuthenticationModule

To specify the authentication time-out for Forms authentication

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select Forms Authentication.

  4. In the Actions pane, click Edit.

  5. In the Edit Forms Authentication Settings dialog box, in the Authentication cookie time-out (in minutes) text box, type the number of minutes you want to use for the time-out value, and then click OK.

Command Line

To specify the authentication time-out for Forms authentication, use the following syntax:

**appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.timeout:**TimeSpan

The variable forms.timeout TimeSpan is the time in minutes when the cookie used for authentication expires. The default value is 30 minutes. For example, to specify the authentication time-out for Forms authentication, type the following at the command prompt, and then press ENTER:

appcmd set config /commit:WEBROOT /section:system.web/authentication /forms.timeout:30

Note

When you use Appcmd.exe to configure the authentication element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

Configuration

The procedure in this topic affects the following configuration elements:

<forms> under <authentication> under <system.web>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.

WMI

Use the following WMI classes, methods, or properties to perform this procedure:

  • FormsAuthenticationConfiguration.TimeOut property

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also

Concepts

Configuring Forms Authentication (IIS 7)