I inherited an asp.net 2.0 web application [e commerce].
There are two web.config entries as follows:
<forms name="CommerceAuth" loginUrl="../Login.aspx" protection="All" timeout="120" path="/"/>
<sessionState mode="InProc" timeout="120"/>
To test what would happen if i loaded the web application, waited until the session ended, then attempt to access the site again; i modified those values to be 5 minutes.
I don't know what I expected to happen, but when i reloaded the web page i was on -- NOTHING happened!
What type of behavior should i expect when a page is accessed after the session times out?
I would expect the user to be redirected to the login page and be forced to re-authenticate.