Symptoms

We have 2 internal and one extra server which is specifically for FBA.
The forms are not getting timed out when accessed through FBA server URL. We have followed the article which say we need to set the session timeout parameter in web.config of Runtime/bin. But no luck. We also did iisreset before testing.

 

Diagnoses

The FormsSTS works on a claim, and the claim has an expiration time.
This is setup in "c:Program Files (x86)K2 blackpearlWebServicesIdentityStsFormsWeb.config"
This is by default 8 hours.
If the claim has expired, the user will not be able to do anything until he logout and logs back in and get a new token.
Also, Forms Designer and Runtime has a check that runs every minute, and then claim expire, shows a popup that tells you it's expiring and gives you option to extend it. If you click Yes, it opens a new window and extend the time.
If you do nothing, it will send you back to the provider screen to choose WidnowsSTS or FormsSTS. If you only have FormsSTS setup, then it will just send you to the FormsSTS, but you might lose unsaved changes.

So, a easy way to test is to set this in the FormsSTS web.config:
andltadd key="SessionTokenLifetime" value="60" /andgt
andltadd key="MaximumTokenLifetime" value="60" /andgt

But the ASPSessionCookie might still be valid, and will thus just rebuild the claim and let you in.


 

Resolution

There is a workaround to have it also prompt for the username and password.
You can do this by changing the sessiontimeout to very low (the value is in minutes) and disable the slidingExpiration in the web.config "c:Program Files (x86)K2 blackpearlWebServicesIdentityStsFormsWeb.config"

andltauthentication mode="Forms"andgt
andltforms defaultUrl="." loginUrl="~/Account/Login" slidingExpiration="true" timeout="1" /andgt
andlt/authenticationandgt