Hey guys.

This issues has stumped me - seems it should be working.

I have the timeout attribute of the forms element in web.config set to "10" - meaning (I think) that after 10 minutes, the cookie will expire, and the user will be prompted to re-login into the page designated in the loginURL attribute.

But it doesn't! After logged in once, I seem to have infinite access to the secure portion of the site.

I have the authentication definitions defined in the application web.config. It may be helpful to note that the secure directory has its own web.config with the users attribute of the deny element set to "?".

Below is the code for the application web.config:

<authentication mode="Forms">
  <forms loginUrl="admin/AdminLogin.aspx" timeout="1"></forms>
</authentication>
<authorization>
  <allow users="*"/>
</authorization>

And here is the code for the web.config in the secure directory:

<authorization>
  <deny users="?" />
</authorization>

Any help?

Thanks...

Ben