Setting the timeouts for Session and Authentication can be a bit tricky. If not set properly, your user may be logged in when the Session expires. If you’re app depends on Session specific to the logged in user, you’ll have problems. By default, the Authentication timeout is 30 minutes while for that of Session is 20 minutes. Here’s how you can change that on a site wise basis:

Session

Under <system.web>, add this node:

<sessionState timeout="30"></sessionState>

Authentication

Under <system.web>, have this node:

<authentication mode="Forms">
      <forms timeout="20"></forms>
</authentication>

For both, the timeout is in minutes. Also, note that there are a host of other settings you can change for Authentication, which you can set within the <forms> tag. Intellisense does work.

A lot of people think setting the Session timeout will ensure that the user gets logged out after the Session expires. This is probably because of the fact that there’s no timeout in the <authentication> node. The reason that there isn’t one is because there are two types of authentication accessible in the <authentication> section: 1) Forms and 2) Passport. There can be different settings for each, and hence the timeout needs to be set in the <forms> tag under the <authentication> tags.

Hope that helps.