What is the difference between these lines of code:
Forms (FormsAuthention) are used for authentication and when it times out it will logout user. You can 'prevent' timeout by setting SlidingExpiration property to 'true' and it will renew forms ticket on user activity (read request to asp) if needed. This will keep user logged on while he is 'active' on your site.
Membership is used for user validation and userIsOnlineTimeWindow is there to help you track user activity so when it runs out it will set IsOnline property to 'false' for that user. One new thing I found out is that it will also renew forms ticket while users isOnline is set, main difference is that it doesn't renew itself automatically but only when its GetUser() or ValidateUser() methods are run.
When session times out you will lose data found in Session object. That is all.
Note the following behavior:
You set Session timeout = 10 minutes and Forms Authentication timeout = 8 minutes.
The user logs into your site using Forms Authentication.
Both the Session "clock" and Forms Authentication "clock" start running.
Suppose that you keep some info needed for the site's operation in the Session(For example, Session["userData"] = userData;).
The user is idle for 9 minutes.
At 8 minutes the session times out and the user's data is cleared.
At 9 minutes when the user tries to perform some activity on the site, you naively reference the Session["userData"] to get his info. Since it is null he will get error 500 for a null reference.
Conclusion: Keep the forms authentication timeout shorter than the session timeout.