There are different ways user session expiration works in the CMS with regards to the Sitecore Client and a public website.
The logic for session expiration on a public website in a Sitecore CMS is not any different from using FormsAuthentication in the generic ASP.NET application.
Depending on the API used to log a user into a Sitecore CMS, the user session can be persistent for the period of the browser session or for the time period specified in the web.config. Sitecore’s AuthenticationManager type uses the logic of the standard ASP.NET FormsAuthentication.SetAuthCookie() function to authenticate website users.
The AuthenticationManager.Login("extranet\\user", false) call makes the user session time out, but does not prolong the session between different browser sessions/restarts.
The AuthenticationManager.Login("extranet\\user", true) call also makes the user session time out, but prolongs the session between different browser sessions/restarts.
To configure the timeout period, you must use the following section of the web.config file:
<forms name=".ASPXAUTH" cookieless="UseCookies" timeout="2" />
If the timeout is not specified, the default value is 30 minutes.
Note:Try to set a value that would be acceptable for both the Sitecore Client and the users of a public website because it is used by the Sitecore Client as well as the public website.
There are two session types available for the Sitecore Client side.
The first one is related to the time of inactivity after which the user is logged out from the site. This period is set by the authentication section mentioned in the previous section, in the same way as for a public website.
The second session type is related to the number of users who are allowed to work on the site at the same time. Sitecore keeps track of every user logged in to the system and assigns a Sitecore user ticket for each. Taking into account the fact that the Sitecore license assumes a limited number of concurrent users (tickets) and the fact that the tickets might be occupied for a long time, this can prevent new users from logging in.
To resolve this, you can adjust the expiration period of the Sitecore Client tickets using the following setting:
<setting name="Authentication.ClientSessionTimeout" value="60">
You can read more about this setting in the Web.config or Sitecore.config.
When logging in to the Sitecore Client, it is also possible to select the Remember Me check box. When selected, the appropriate persistent cookie is created that allows the user to automatically re-log in to the system without having to enter his or her credentials. The expiration period for the cookie is configured by the Authentication.ClientPersistentLoginDuration setting in the web.config:
<!-- CLIENT PERSISTENT LOGIN DURATION
Specifies the number of days before client "remember me" information
expires. The default is 180 days.
<setting name="Authentication.ClientPersistentLoginDuration" value="180"/>