Given that session state is not reccomended in ASP.NET MVC. I'm trying to understand under what circumstances session is used. I know that using the TempData creates a session but what other circumstances are there and does it matter how I configure the session state timeout for better security?
<sessionState cookieName="s" timeout="20" />
The accepted answer you reference states in part
This tended to lead to an overuse of session, populating "current" variables in session intended to indicate what the current object being interacted with was. This overuse in turn made applications very state-dependent and much harder to determine expected behaviour ("Is this variable populated?" "Do I have the current order ID yet?").
MVC is structured around the idea that your website is a view into a logical model of information. It encourages having stateless operations through the use of simple controllers responding to actions with key information passed as part of the HTTP request
Session is not a bad thing when your website needs to tie certain content to a specific user, whether for security or personalization purposes. It is fine, expected and normal to use a session for that purpose.
What you should avoid doing is stuffing the session with any and all information that you might need anywhere in your web application. Take time to learn and understand the MVC architecture, and favor loading data that you need to render a given page when that page is actually being rendered. Only cache things that are relatively expensive to load, or are needed on many/all pages.
does it matter how I configure the session state timeout for better security?
The primary concern with session timeout periods is a session hijacking attack, which allows a man in the middle to intercept session information and control the session from a different device under control of the hacker. For most applications, I don't see anything wrong with the default session timeout.
The another concern is people that walk away from their device, leaving it unattended. People that do that have much greater security worries than just your website.