Wie kann ein Login Timeout hinausgeschoben werden? In einer VS 2015 Light Switch Web App mit Forms Authentication möchte ich das Timeout auf 1h hinausschieben. Ist das möglich und wie?
Bitte um Input, merci
marcel
As my German leaves a lot to be desired, I'll revert to English to answer your question:
In a Visual Studio 2015 LightSwitch Web app, using Forms Authentication, how would you alter the timeout to 1 hour?
Assuming that you're referring to the timeout for the HTTP cookie, used by the Forms authentication login, this can be changed from the default 30 minutes to 1 hour by editing your applications web.config file.
The web.config section to modify is the <forms> element and this needs to be changed to include the optional timeout attribute as follows:
<system.web>
<authentication mode="Forms">
<forms name="YourFormsCookieName" timeout="60" />
</authentication>
This optional timeout attribute specifies the number of minutes after which the authentication cookie expires (if it's not specified it defaults to 30 minutes).
The following quotes the MSDN information on this optional attribute:
Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision. The default is "30" (30 minutes).
Note
Under ASP.NET V1.1 persistent cookies do not time out, regardless of the setting of the timeout attribute. However, as of ASP.NET V2.0, persistent cookies do time out according to the timeout attribute.
Related
I want to allow users a longer inactivity timeout setting of over 1 hour. I configured in web.config:
<authentication mode="Forms">
<forms name="MYWEBAPP.ASPXAUTH" loginUrl="~/Welkom.aspx" protection="All"
timeout="181" slidingExpiration="true" path="/"/>
</authentication>
The application pool has the advanced setting:
Idle Time-out (minutes): 181
In the login code I configured the ticket and the cookie:
FormsAuthenticationTicket ticket = new ...
ticket.expiration = DateTime.Now.AddMinutes(180);
...
cookie.Expires = ticket.Expiration.AddMinutes(5);
Response.Cookies.Add(cookie);
The MasterPage prints the ticket.expiration in the footer of each web page, so that I can see what is going on internally.
As is widely known, sliding expiration means that the timeout value is incremented only with a GET request after half of the timeout period has passed. I tested as follows:
At login, I see in the footer an expiration time that is 3 hours ahead.
Every once in a while I do something in the web site, but the expiration time does not change.
If I do something when the expiration is less than 90 minutes ahead, the expiration time is updated to 3 hours from that moment.
However, if I wait longer than 60 minutes, and then do something, while the expiration time is still over an hour ahead, I will get the login page.
Does anybody know how to fix this?
To configure the Session Inactivity Timeout, there are FOUR settings. In my question I mention three settings, and timeout and auto logout in asp.net 2.0 with IIS 7 even after doing all the possible settings mentions the fourth setting: SessionState parameter in Web.config.
While deveoping a site (using Forms authentication and InProc sessionstate) a frequently run into a scenario where I lose the variables stored in Session (such as Session["myVar"]), but my auth-session remains valid.
This results in some wierd behavior on my site.
Why is this happening and what can I do to prevent diffrent lifecycles for my auth and my session variables?
In Asp.Net a Session and "Being logged in" are not the same thing.
Both are (usually) controlled by cookies, but the cookies are separate.
To control how long a Session is kept alive, please see answer by Jonas T.
To control how long a user remains logged in, you can use the timeOut on the <forms ... /> element:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="120" slidingExpiration="true"/>
</authentication>
...
</system.web>
To get rid of your problem you should make sure that the session timeout is at least as long as the forms authentication timeout.
If you are allowing persisted cookies in forms authentication ("Remember me"), then there are no gurantees. In that case you just have to set the session timeout to "long enough" according to some criteria/specification.
Edit: Also check the settings on your application pool (under IIS) where the site is deployed. And specifically check what the "Idle Time-out" is. If this is set low (default value is 20 minutes I think), then IIS will shut down the application pool if no request have come in during that time. That (of course) terminates whatever in-proc sessions existed.
Forms Authentication stores its ticket in Cookie at client side or URL(if cookie is disabled).
Session variables are stored at server side with expired time. If you want your variable to be more persistent use cookie.
You can extend your session time out in web config. This is for 20 minutes.
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
You said that you are working with ASP.NET Form authentication/authorization then I'd suggest you to use Profile instead of Session state.
My session renews every 20 minutes. I've set timeout to 300 minutes but still it renews probably because Application Pool recycles.
I am storing UserId which is Guid in Session which returns null. Problem is when I use Membership using
Membership.GetUser().ProviderUserKey
it works fine. But obviously it makes a database call. How can I prevent this problem from happening? Why does Membership.GetUser().ProviderUserKey succeeds whereas Session doesn't?
In order to complete Jan's and Neil's answers, you should look at your web.config and set both timeouts (sessionState and authentication)
<sessionState timeout="300"/>
Sessionstate timeout specifies the number of minutes a session can be idle before it is abandoned. The default is 20.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="300" />
</authentication>
Forms timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
Your session may still be alive (if you set it to 300 minutes) but the ASP.NET membership could be expiring?
Have you increased the authentication timeout too?
<authentication mode="Forms">
<forms loginUrl="Login/" timeout="180"/>
</authentication>
You are mixing authentication and session. These are two completely different concepts.
GetUser() return the currently authenticated user form your MemberShipProvider.
Session and authentication have different timeouts - so its valid that your session times out but the user is still authenticated.
I have a Asp Mvc 2 site using forms authentication. When I run it locally I can log in and stay logged in indefinitely.
However when I put it on the server I seem to only stay logged in for a few minutes and then seems to be logged out. I have looked at the cookies and there are 2 which seem relevant:
.ASPXAUTH which is a session cookie
.ASPXANONYMOUS which expires in 3 months.
When I refresh the page the cookies stay the same until I get logged out, when I seem to get a new .ASPXANONYMOUS cookie, but the .ASPXAUTH seems to be the same.
It seems that I might be able to stay logged in until I do something after a certain amount of time. If I submit a form as soon as I am logged in then it works ok, but if I keep submitting data again and again then after a minute or so, one of the submits will happen as a logged out user and not as the user who was logged in, which all the other submits worked as.
What might cause this behaviour and how can I track down what is different & change it so that I can stay logged in indefinitely?
EDIT,
its a single server, but after some more investigation and searching the likely candidate seems to be that I am using more than 100mb on the server and the application pool is getting recycled. I suppose now i need to know
How can I check how much memory I'm using.
What advice there is to reduce that.
Could it be that the ASP.NET application is being re-cycled or shutdown (e.g. due to idle timeout, or newly built/changed assemblies)?
When an ASP.NET web application starts up it will, by default, generate encryption keys for view state and session cookies. This will invalidate any such data originally served from an earlier run of the application (or from a different system).
To have sessions survive ASP.NET application cycles (and multi-server farms) you can specify the keys in your web.config:
<system.web>
...
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="..."
validationKey="..."
/>
where decryptionKey and validationKey are hex strings of length depending on the algorithm (with AES: 64 digits and SHA1: 128, for other algorithms check MSDN).
These keys should be cryptographically generated, and .NET has the types to do this which can be used from PowerShell:
$rng = New-Object "System.Security.Cryptography.RNGCryptoServiceProvider"
$bytes = [Array]::CreateInstance([byte], 16)
$rng.GetBytes($bytes)
$bytes | ForEach-Object -begin { $s = "" } -process { $s = $s + ("{0:X2}" -f $_) } -end { $s}
For AES use the above array length, for SHA1 use a length of 64.
It is quite likely that Session Timeout on the web server is configured to a much smaller timespan than you have set in your Form Authentication configuration in web.config.
The default Session Timeout is 20 minutes for IIS6 and IIS7.
If you have access to the web server's admin interface, you can raise the timeout via the GUI, but it can also be set from the config file if your IIS7 using the <sessionState> and <sessionPageState> sections:
http://msdn.microsoft.com/en-us/library/cc725820(v=ws.10).aspx
Check the webconfig authentication section
<authentication mode="Forms">
<forms name="UniqueName" loginUrl="login.aspx" path="/" >
</forms>
</authentication>
Ensure that the authentication cookie name for each hosted site is unique.
Came here with a similar issue, following the suggestion by #Richard, I looked at the Application Pools' recycling settings. What I found was the settings were changed and the Regular time intervals (in minutes) value was set to 1 minute. This meant that the app pool was being recycled each minute.
To change that, Right-click on the application pool, select the Recycling option, change the value under Regular time intervals (in minutes). I set it to the same value as the other Application Pools were using.
This change fixed the issue, turns out it was set to a low value a while back while during some misguided troubleshooting with an expired SSL certificate.
If none of these work, check in the Application Pools and ensure that the Idle Timeout is set to 20+ minutes. Click on the application pool, select the Advanced Settings link to the right, find the Process Model section, and increase the Idle Timeout value there.
In an ASP.NET MVC2 app, we have the standard login action...
if (ValidateUser(model.Email, model.Password)
{
FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
...
where the second parameter to SetAuthCookie is createPersistentCookie with the following documentation:
createPersistentCookie
Type: System.Boolean
true to create a persistent cookie
(one that is saved across browser sessions); otherwise, false.
We would like to have the persistent cookie expire after 2 weeks (i.e., a user could return to the site within 2 weeks and not be required to re-authenticate. After that time they would be asked to login again).
How do we set the expiration for the persistent cookie?
Can you not do this?
<system.web>
<authentication mode="Forms">
<forms timeout="20160"/>
</authentication>
</system.web>
The timeout is in minutes.
This timeout value is irrespective of whether or not you are creating a persistent cookie. It simply says that if you don't explicitly terminate the cookie (FormsAuthentication.SignOut), it will automatically expire after the given time period.
In other words, if you do:
FormsAuthentication.SetAuthCookie(someMembershipName, false);
Will result in the cookie expiring when:
The user closes the browser, or
The timeout is reached.
As opposed to if you do:
FormsAuthentication.SetAuthCookie(someMembershipName, true);
Will result in the cookie only expiring when the timeout is reached.
HTH
EDIT:
Take from MSDN:
the timeout attribute is described as follows:
Specifies the time, in integer
minutes, after which the cookie
expires. If the SlidingExpiration
attribute is true, the timeout
attribute is a sliding value, expiring
at the specified number of minutes
after the time that the last request
was received. To prevent compromised
performance, and to avoid multiple
browser warnings for users who have
cookie warnings turned on, the cookie
is updated when more than half of the
specified time has elapsed. This might
cause a loss of precision. The default
is "30" (30 minutes).
Note Under ASP.NET V1.1 persistent
cookies do not time out, regardless of
the setting of the timeout attribute.
However, as of ASP.NET V2.0,
persistent cookies do time out
according to the timeout attribute.
In other words, this expiration setting handles the Forms Authentication cookie only.
The Forms Authentication cookie is a client-side cookie, it has nothing to do with other server-side session you may have (ie a Shopping Cart).
That Session is expired with the following setting:
<sessionstate
mode="inproc"
cookieless="false"
timeout="20"