Sitecore authentication session expiration and user ticket timeout


Authentication Session Expiration for Sitecore 9.1 and higher

The logic for authentication session expiration for Sitecore Client or for a public website in a Sitecore CMS is described in the Understanding Sitecore authentication behavior changes article.

Authentication Session Expiration for Sitecore prior to version 9.1

To configure the timeout period, use the following section of the web.config file:

<authentication …>
      <forms name=".ASPXAUTH" cookieless="UseCookies" timeout="2" />
</authentication>

If the timeout is not specified, the default value is 30 minutes.

Note: Try to set a value that would be acceptable for both the Sitecore Client and the users of a public website because it is used by the Sitecore Client as well as the public website.

Sitecore user ticket expiration

Sitecore user tickets are related to the number of users who are allowed to work on the client at the same time. Sitecore keeps track of every user logged in to the system and assigns a Sitecore user ticket for each. Taking into account the fact that the Sitecore license assumes a limited number of concurrent users (tickets) and the fact that the tickets might be occupied for a long time, this can prevent new users from logging in. To resolve this, you can adjust the expiration period of the Sitecore Client tickets using the following setting:

<setting name="Authentication.ClientSessionTimeout" value="60">

You can read more about this setting in the Sitecore.config. When logging in to the Sitecore Client, it is also possible to select the Remember Me check box. The expiration period for the cookie is configured by the Authentication.ClientPersistentLoginDuration setting in the Sitecore.config file:

<!--  CLIENT PERSISTENT LOGIN DURATION
       Specifies the number of days before client "remember me" information 
        expires. The default is 180 days.
-->
<setting name="Authentication.ClientPersistentLoginDuration" value="180"/>

When selected, the user ticket cookie expiration is set according to the ClientPersistentLoginDuration setting value. Also, that allows the user to automatically re-log in to the system without having to enter his or her credentials even when the .AspNet.Cookies cookie is expired.