When using FBA, session timeout is determined in the web.config. This is a standard feature of asp.net.
Example:
<forms loginUrl="/_layouts/login.aspx" timeout="30" />
(timeout is in minutes).
Setting the timeout in Central Admin will have no effect on Forms authenticated sites.
or
public class CheckSessionModule: IHttpModule
{
public void Init(HttpApplication app)
{
ctx.Application.AcquireRequestState += this.OnAcquireRequestState;
}
public void Dispose() {}
public void OnAcquireRequestState(Object sender, EventArgs args)
{
if ((HttpContext.Current.User.Identity.IsAuthenticated == true) && (HttpContext.Current.Session.IsNewSession == true))
{
FormsAuthentication.SignOut();
HttpContext.Current.Response.Redirect(HttpContext.Current.Request.Url.ToString(), false);
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
}
}