I have a problem in which my application uses session variables that expire before my FormsAuthenticationTicket cookie times out. This means that there are situations where a user is still logged in but yet they have lost all of the session state information that is needed to do the personalized database operations that I got them to login for in the first place.<BR><BR>How do I set up forms authentication security to work with session state?<BR><BR>Currently, my login script grants security permissions with a FormsAuthenticationTicket object with the following Sub after it checks to confirm the user&#039;s credentials:<BR>-----------------------------------------------------------------<BR> Sub privRedirectFromLoginPage(ByVal psUserData As String, ByVal pbPersistLoginInfo As Boolean) <BR> Dim oTicket As FormsAuthenticationTicket <BR> Dim oCookie As HttpCookie <BR> Dim sReturnUrl As String <BR><BR> oTicket = New FormsAuthenticationTicket(1, psUserData, Now(), DateAdd("n", 30, Now()), pbPersistLoginInfo, Page.Session.SessionId)<BR> oCookie = New HttpCookie(".ASPXAUTH")<BR> oCookie.Value = FormsAuthentication.Encrypt(oTicket) <BR> Response.Cookies.Add(oCookie) <BR><BR> oCookie = Nothing <BR> oTicket = Nothing <BR><BR> sReturnUrl = Request.Params("ReturnURL") <BR> If sReturnUrl = Nothing Then<BR> sReturnUrl = "secure/default.aspx" <BR> End If <BR> Response.Redirect(sReturnUrl) <BR> End Sub<BR>-----------------------------------------------------------------<BR>This Sub is called from the login form handling sub using the following line of code:<BR>-----------------------------------------------------------------<BR>privRedirectFromLoginPage(txtUserName.Text, False) <BR>-----------------------------------------------------------------<BR>Basically, if you read the code above, it is setting the login credentials to expire 30 minutes after the time of login.<BR><BR>This is the syntax that I know, and is all that I can find in msdn. Can anyone show me a way to re-write the syntax above so that it keeps users logged in as long as their sessionID remains the same, but logs them out the moment their sessionID changes?<BR><BR>There has to be a simple way to do this. But, worst case, there is also the possibility of manually decrypting the .ASPXAUTH cookie and comparing its sessionID value to the current sessionID. I just dont know how to do the decrypting. the code above shows how the encrypting was done at the time of login.<BR><BR>Presently, when I use MyCookie.Value syntax to get the value of the .ASPXAUTH cookie, it gives me the following encrypted output:<BR>-----------------------------------------------------------------<BR>C31996B78F9E7C72CB2B5AF6E0E727564FE0D71A667945 840B359FEDFED585ECEBA1D59156F9DD7660C8B34BAB69EA68 74E0711EF579A0CFF23079C140EED68D0189A62E98902B9013 41C33071717710E160141AC611F1EC9060E3037480F6C69D52 4C50997EDF232A5157B992B4C07DB5527CABBF2F25BC84F3E2 A69222951CFF590A4F6A7B835BE3A72A77427F7A25<BR>-----------------------------------------------------------------<BR>If I decrypted this output, I could find the sessionID that was stored within it before encryption in the code at the start of this posting. But I do not know how to decrypt it, and there has to be a better way.<BR><BR>Can anyone help me? <BR>