how to config form authenticated ticket to expire

Topics: Administration
Apr 11, 2013 at 7:10 AM

As a user logged into Orchard through the default form authentication mechanism, the user will never require password for subsequent logins. I guess orchard authenticate against the same ticket issued on the first time login. How can I make the ticket expire in 1 hour for example?

Many Thanks.
Apr 11, 2013 at 10:02 AM
Orchard uses the Forms Authentication provider, so you'll be able to configure that from web.config as you would when configuring Forms Authentication.
Apr 12, 2013 at 6:48 AM
Edited Apr 12, 2013 at 6:49 AM
Hi Skywalker,

I changed the web.cofig, and it doesn't work:
<authentication mode="Forms">
    <forms timeout="60"/>
I found the following line of code in FormsAuthenticationService:
ExpirationTimeSpan = TimeSpan.FromDays(30);
So I think I will override IAuthenticationService and change it to something like:
ExpirationTimeSpan = TimeSpan.FromHours(1);
Thank you for your answer.
Apr 12, 2013 at 12:56 PM
Hey guys, This cannot be done in the Web.Config at this time. I raised a bug around this, and during a triage session it was deemed a feature and pushed in to Orchard Future Releases. Maybe we could push for 1.7?
Apr 12, 2013 at 1:08 PM
Do you have the link to that work item? I'm curious why it is deemed a feature instead of a bug. Perhaps there's a reason that it's not reading settings from web.config. I can imagine that it would be better to have site settings to control things like session duration, so that it's agnostic of the authentication provider implementation (e.g. we could have an OAuthService instead of the FormsAuthenticationService).