Asp.net forms authentication

Question

In my web.config I have this:

<system.web>
    <authentication mode="Forms">
        <forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
    </authentication>
    <sessionState timeout="20" />
</system.web>

<location path="admin">
    <system.web>
        <authorization>
             <deny users="*"/>
             <allow users="admin"/>
        </authorization>
    </system.web>
</location>

I have two problems:

1. In my admin path I want only the admin user to have access but I can't find a way to do this. How can I make only the admin user have access?

2. The user always gets logged out even if I try to use cookies so he shouldn't be logged out. In my login.aspx I have the folloing code when the user is valid:

   FormsAuthentication.RedirectFromLoginPage(user, CheckBoxPersistCookie.Checked);
   

How can I make the user to stay logged in?

Answer 1

try putting the <allow> line over the <deny> line.

<system.web>
    <authentication mode="Forms">
                <forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
    </authentication>
    <sessionState timeout="20" />
</system.web>

<location path="admin">
    <system.web>
        <authorization>
             <allow users="admin"/>
             <deny users="*"/>
        </authorization>
    </system.web>
</location>

Answer 2

As I understand you have 30 mins timeout in your authentication cookie and 20 minutes in your session cookie. It seems that as session will expire in 20 minutes then it will be impossible to use authentication cookie too.
It is a little tricky if you want to leave user logged in. I know that it is possible to implement it using javascript and invisible iframe. You need to reload iframe every 5 minutes for example. Your session will be live and local cookies updated.