Should I use Session State or FormAuthentication to keep track of a signed-in user?

Question

I'm sure this question has been asked before, but I cannot find it with neither Google nor the suggested threads given to me while typing this question up. So without further Ado:

I am creating an application in which I would like to keep a user logged into my system. From what I understand, session state variables are pretty secure. So would it be safe to keep a user logged into the system (I'm thinking 1 day maximum), by checking their password against the database, if it matches, create a session variable like so:

Session["Expires"] = DateTime.Now.AddDays(1); 

and using that that session variable to keep the user signed in by checking if DateTime.Now is less than Session["Expires"]? So if no session variable exists (never logged in), or the user has changed the session ID in their cookies it would just see them as not logged in and they would not have access anymore.

Answer 1

By default, Session timeout is 20 minutes. It is enough for most applications due to sliding expiration.

Ideally, you do not want to set Session state timeout higher, because opening session takes up server memory.

Back to the original question

ASP.Net already has that feature called FormAuthentication, so you do not need to start from scratch. It uses Cookie instead of Session state. I'm sure you have seen Remember Me checkbox at Login screen.

It basically save FormAuthenticationTicket in the cookie with the timeout that you set in web.config.

For example,

FormsAuthentication.SetAuthCookie("username", false);

Since this question is not about FormAuthentication, I do not want to go detail into it. I hope you get the idea.

Here is the another example at SO. You can also download my sample application at GitHub - Login.aspx.cs and Global.asax.cs.