I am using Forms authentication in a Login for my web app. My problem is it never times out...I can come back days later and it allows me access to secure pages...what am I doing wrong?

my web.config is as follows...

<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <customErrors mode="Off"/>      <authentication mode="Forms"> <forms name="HGFIREAUTH" loginUrl="login.aspx" protection="All" timeout="60" />   </authentication>   <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />   <authorization>    <deny users="?" />   </authorization>   <sessionState mode="InProc" cookieless="false" timeout="20" />   </system.web> </configuration>

My login.aspx contains 2 simple asp textboxes and here's the portion of my codebehind that handles the Submit button

.... .... Private Sub LoginBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles LoginBtn.Click   If (UserName.Text = "user") And (UserPass.Text = "password") Then         FormsAuthentication.RedirectFromLoginPage(UserName.Text, True)     Else         lblMessage.Text = "Invalid Login: Please try again"     End If End Sub

Another question I have is how to set the page that the user is directed to after a successful login...

____________________________
Eggheads unite! You have nothing to lose but your yolks.