What am I missing? My Form Timeout will not timeout the session

I have an asp.net mvc 3 site that with my own authorize attribute. When a user logs in I make a form Auth cookie

 public void SetAuthCookie(string userName, string userData = "",int version = 1)
    {
        DateTime expiry = Dat开发者_JAVA技巧eTime.UtcNow.AddMinutes(30);

        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(version, userName, DateTime.UtcNow, expiry, false, userData, "/");

        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {Path = "/"};

        HttpContext.Current.Response.Cookies.Add(authCookie);
    }

// AuthorizeAttribute

public class MyAuthorizeAttribute : AuthorizeAttribute
{

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
       if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }


       if (httpContext.User.Identity.IsAuthenticated)
       {
          return true;
       }

        return false;
    }

So I go to my site login and wait for my site to timeout. I then do a request(it's an ajax request) and it first goes through my attribute and httpContext.User.Identity.IsAuthenticated is still set to true even though I did not request to the server for 3 minutes

  <authentication mode="Forms">
      <forms loginUrl="~/Account"
                      protection="All"
                      name=".MySite"
                      path="/"
                      requireSSL="false"
                      slidingExpiration="true"
                      defaultUrl="default.aspx"
                      cookieless="UseDeviceProfile"
                      enableCrossAppRedirects="false"
                       timeout="1"
                       />
    </authentication>

You are creating a cookie with 30 minutes timeout:

DateTime expiry = DateTime.UtcNow.AddMinutes(30);

So you must wait 30 minutes before this cookie becomes invalid. The timeout of 1 minute that you specified in your web.config is ignored because you are manually creating the cookie with a 30 minutes timeout.

If you want to match the value from your web.config you could use the following:

DateTime expiry = DateTime.UtcNow.AddMinutes(FormsAuthentication.Timeout);

I agree with above answer

for more detail review http://weblogs.asp.net/owscott/archive/2006/07/15/Forms-Authentication-Timeout.aspx

this may help you