I want to log a user into an ASP.NET MVC site, and the session expires very quickly, in minutes.
Authentication is done in one line of code:
authProvider.Authenticate(model.UserName, model.Password)
Then I have in Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" name=".ASPXAUTH" timeout="300" slidingExpiration="true">
and the setting on the IIS on the server for 300 minutes.
What is the problem?
Make sure you have a sessionState timeout value that matches your forms timeout:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login"
name=".ASPXAUTH"
timeout="300"
slidingExpiration="true" />
</authentication>
<sessionState timeout="300" mode="InProc" />
</system.web>
You also need to change the Idle Time-out parameter of your Application Pool to the desired authentification timeout to avoid the Application Pool to recycle too soon and therefore lose your sessions.
This parameter can be found in:
IIS - Application Pools - Advanced Settings of the Application Pool in question.
References:
Configure Idle Time-out Settings for an Application Pool
IIS7 Application Pool Idle Time-out Settings
If you don't want to change this parameter(*), a solution is to use the StateServer mode of the Session State. This mode uses a service to store the session instead of the memory with In-Process mode. It has the advantage of not losing the session when the Application Pool is recycled. It's also very easy to configure:
<system.web>
<sessionState mode="StateServer"
stateConnectionString="tcpip=loopback:42424"
cookieless="false"
timeout="300" />
</system.web>
(*) 5 minutes is very low. The default is 20 minutes. So I advice to set it to at least the default value if using the StateServer mode.
Reference:
Session-State Modes
Related
How to set (increase) the session timeout when using forms authentication in ASP.Net?
I set it in the web.config file as follows, but it doesn’t work.
<configuration>
<system.web>
<sessionState timeout="60"></sessionState>
</system.web>
</configuration>
The timeout property of the <sessionState> is the correct place to set it as you currently have if you want the actual Session to expire, however since you explicitly mention Forms Authentication, you may want to check out the timeout for that, as the two are different.
Do you mean the Forms Authentication Timeout?
You can adjust the specific timeout property of your Forms Authentication in your application by adjusting the timeout property within the <authentication> element of your web.config file. You will also want to be mindful that if you are using the slidingExpiration property in conjunction with timeouts as they can actually expire much earlier than the timeout listed.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="yourTimeoutInMinutes"></forms>
</authentication>
So if you wanted to extend the amount that the authentication token stays "alive" for to say 180 minutes (3 hours), you would set it as seen below :
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="180"></forms>
</authentication>
Consider the Idle Timeout in IIS
You may also want to consider looking into setting the Idle-Timeout property on your server within IIS if your updated configuration properties don't seem to work (as the Idle-Timeout defaults at 20 minutes).
I set Sessionstate an Authentication Timeout in web.Config like below , but users are logout less than 20 minutes
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx" loginUrl="~/Login.aspx" name="Login" timeout="43200" slidingExpiration="true"/>
</authentication>
<sessionState timeout="43200"></sessionState>
First of all I would like to clarify that Authentication has very little to do with Session.
Every time a new user hits the website the session starts.
And the amount of time that the authentication cookie is good for on the user's browser is defined by authentication time out.
You can also try to set the Session timeout by Going to IIS and setting Session timeout there as well
You should disable or increase the application pool timeout in IIS - web site properties.
Regards
I have it set to 120 minutes but it doesn't last that long. I am not sure exactly how long it does last but I know it isn't 2 hrs.
<sessionState timeout="120" />
This was set only in the default Web.config and NOT in the one in the Views directory nor the Web.Debug.config or Web.Release.config.
Would that make a difference as the default session timeout is 20 min?
To guarantee your sessions don't get killed by a w3wp.exe crash or an application pool recycle, you should move the session state to a separate store. The easiest is the ASP.Net State Server service. Make sure to start the service on the host machine and add this to your web.config instead:
<sessionState mode="StateServer"
stateConnectionString="tcpip=SampleStateServer:42424"
cookieless="false"
timeout="120"/>
I think you should define the session state mode
There are there different session states in ASP.NET
http://msdn.microsoft.com/en-us/library/ms178586(v=VS.80).aspx
In-Process Mode
The defaul one is <sessionState mode="InProc" timeout="10" />, the session will be clear after rebuild the project
State Server Mode
we can use this, but remember to turn the services - ASP.NET State Service
<sessionState mode="StateServer"
stateConnectionString="tcpip=localhost:42424"
sqlConnectionString="data source=.\SQLEXPRESS; User ID=sa;Password=12345678; Integrated Security=SSPI"
cookieless="false"
timeout="2"
/>
SQL Server Mode we can use this after create a DB ASPSate by command, pls check this site for details - http://www.brianstevenson.com/blog/aspstate-concurrently-running-for-net-1011-and-net-20
<sessionState mode="SQLServer"
stateConnectionString="tcpip=localhost:63586"
sqlConnectionString="data source=.\SQLEXPRESS; User ID=sa;Password=12345678; Integrated Security=SSPI"
cookieless="false"
timeout="2"
/>
The session in State Server Mode & SQL Server Mode will not be cleared after rebuild the project, it's good for development
What is different between session timeout and forms timeout property
<authentication mode="Forms">
<forms protection="All" slidingExpiration="true" defaultUrl="Administrator/Default.aspx" loginUrl="login" timeout="180" >
</forms>
</authentication>
<sessionState timeout="300">
</sessionState>
how differ <forms> timeout vs <sessionstate> timeout properties in web.config file.?
Thanks
The forms timeout is the inactivity timeout for forms authentication (or absolute timeout if you're not using sliding expiration).
Sessionstate timeout is the inactivity timeout for the user's session data - e.g. any session data you store for that user.
I am trying to change the time it takes for my session to expire. My views are verifying session with <Authorize()>, which works great.
I am doing my session creation as follows:
FormsAuthentication.SetAuthCookie(model.UserName, True)
Return RedirectToAction("Welcome", "Home")
My password is verified with
FormsAuthentication.Authenticate(username, password)
My route web.config has inside system.web
<sessionState timeout="7200"></sessionState>
MY authorization node is as follows:
<authentication mode="Forms">
<forms loginUrl="~/Home/Login" timeout="7200" cookieless="UseCookies" name=".LoginCookie" slidingExpiration="true" >
<credentials passwordFormat="Clear">
<user name="user" password="pass" />
</credentials>
</forms>
</authentication>
Once logged in I can even verify the specific cookie 'LoginCookie' is set to expire in a few days, yet still, if I am inactive for 30 minutes, my user is getting sent to the login page.
Finally, this appears to work fine in Visual Studio, as it always has for sites I have done, but for some reason once in IIS it doesn't (production environment).
Any help on something I may have missed is really appreciated.
That's probably when your IIS apppool is set to recycle. Cache variables are then lost unless they are stored in SQL server or State Server.
Check the settings in the AppPool within IIS. You can extend the idle timeout if required.
Also read this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;324772