Web Page Security Validation in App General Settings

In Central Admin, under Web Application General Settings, what is the difference between setting “Security validation” to Off vs. turning it on and setting the expiration to Never?

On our implementation (MOSS 2007, intranet only, all users are domain users, using Kerberos), we have Security Validation set to On and “Security validation expires” set to Never.

However, if someone edits a document (for example in Word or Visio) in a SharePoint library and has the document open for a while (like 1 or 2 hours – I haven’t pinpointed the limit yet), they receive errors when trying to save the document.

I can get the specific errors – I know I have received a Visio “internal error” 2131 if I don’t save for a few hours.

It would appear from my setup that it should never time out.  Could there be some other setting?  What happens if I turn Security Validation to “Off”?  The docs are not clear on exactly what “validation” is occurring when this is on.

Hi,There are 3 places we need to check for timeout is:· security  Validation timeout (Located at: Central Admin > Application Management > Virtual Server General Settings > Select the Web Application that the site is hosted on, in the Web page  Security validation  section)Default 30 minutes.· Session State timeout (Located at: Central Admin > Application Management > Office SharePoint Server Shared Services > Configure Session State.)Default 60 minutes.· IIS Session timeout (Located at: Administrative Tools > IIS Manager > Web Sites > The Web Application that the site is hosted on > Right click, properties > Home Directory tab > Configuration button > Options tab) Default 20 minutes.For more information about Web Page Security Validation, please refer to the following article:”The security validation for this page has timed out” error message when a user submits data to Windows SharePoint Serviceshttp://support.microsoft.com/kb/888828/en-usHope this helps.Rock Wang

Is there anywhere that actually describes why this setting  is important?  And I’m not talking about a doc that says ‘this setting is important – use it’.We have users who are affected by this, and are asking us to turn it off.  I need to have more info so I can talk with our security  folk to understand the ramifications of turning  it off.What is the risk this setting is attempting to mitigate?Thanks.