Forms Authentication and Sliding Timeout

When using forms authentication with slidingExpiration set to true (default), the cookie is updated only when more than half the timeout value has elapsed. As a result of this, you might be logged off sooner than you think.

Consider this: You have set the timeout to 30 minutes. You logon on at 3:00 pm; a FormsAuthenticationTicket is set to expire at 3:30 pm. The expiration of this ticket will not be extended for another 30 minutes until you make a request after 3:15 pm. So, if you made your last request at 3:15 pm, the ticket will still expire at 3:30 pm as more than half the timeout value has not elapsed (giving you a 15 minute window before you get logged out).

On the other had, if you had made a request at 3:16 pm, the expiration of the ticket is extended to 3:46 p.m.

From MSDN:

timeout  :   Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.

ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfforms.asp