Session in asp.net is not expiring on expected time. Below is my part of web.config file for session configuration. Here i want to expire my session in 2 minutes and redirect the user to login page for test purpose. Here session expires about 6 to 7 minutes later.
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" />
</authentication>
</system.web>
Thanks.
Make sure you have disabled sliding expiration:
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" slidingExpiration="false" />
</authentication>
</system.web>
Now no matter whether you are sending requests to the application during the period, the forms authentication cookie won't be renewed.
Related
I'm using "Forms" authentication in asp.net 4, with a fixed time before make the session expire.
I need to call a method that use some variables in Session just before logging out, but I am not able to handle the case when the user's session is expired (it just redirect me to the login page). For example, I would like to log something like "User session is expired!". Moreover, I need some info stored in Session.
I tried to use the Session_end method, but it seems that session expiration "event" does not trigger this function.
The configuration in web.config is:
<sessionState
mode="InProc"
cookieless="false"
timeout="70"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="1" />
</authentication>
<anonymousIdentification enabled="false" />
<authorization>
<deny users="?" />
</authorization>
The 1-second delay for expiration is for debug purpose.
Is it possible to do what I need to?
Many thanks
Think this may have already been answered.
Calling a method on Session Timeout?
Apologies if this is different.
I have to use SQL Server to store session data and forms auth for logging in. Something weird is going on where the session is ending and I lose all session data but the forms auth isn't kicking them to the login page. Here is my web config set up for this:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" path="/" protection="All"
defaultUrl="Default.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<sessionState mode="SQLServer" customProvider="AppFabricCacheSessionStoreProvider"
sqlConnectionString="" timeout="30" allowCustomSqlDatabase="true">
<providers>
<!-- specify the named cache for session data -->
<add name="AppFabricCacheSessionStoreProvider"
type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider"
cacheName="dev-advisorlynx" sharedId="OrionShared"/>
</providers>
</sessionState>
Forms auth is managed by the forms authentication cookie. Session state is managed by the ASP.NET_SessionID cookie. You could be losing one and not the other.
Check the cookie traffic using HTTP watch or by checking the IIS logs. They may be scoped differently for whatever reason (e.g. they may have a different domain or path, or one of them may be expiring).
I would like to use State Server for sessionState.
This works fine for all session variables but not for authentication. What must I do to store authentication in State Server so I can use a farm of Webservers? My web.config looks like..
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="20" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" cookieless="false" timeout="20" />
<machineKey validationKey="F2FCB9C6C8F045A198D4885C6E...
I'm unclear about what you mean by "store authentication in State Server".
Authentication Is never stored in session variables, and it's a poor practice to do so. Authentication is stored on the users local computer in the form of an encrypted cookie (either non-persistent or persistent), and therefore is inherently immune to any webfarm issues so long as your machinekey is specified in common on all servers.
Session and FormsAuthentication are to different systems in .NET.
I have the following setting in my web.config
<sessionState mode="InProc" cookieless="false" timeout="20" />
<forms loginUrl="~/Account/LogOn" timeout="20" />
When the user timeout after 20 minutes I need to be able to figure out if the session was timed out and display a message on the logon screen. I know the querystring will have a ReturnURL but they can have ReturnURL if they are not logged in and click on favorites or even by typing in the URL.
I have an ASP.NET MVC application using forms authentication. Here's the line of code where I create the auth token:
FormsAuthentication.SetAuthCookie(username, true);
My web.config contains:
<system.web>
<machineKey validationKey="{unique key}" decryptionKey="{unique key}" validation="SHA1" decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="~/account/" timeout="2880" />
</authentication>
...
</system.web>
<location path="my">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Despite the parameter for the persistent cookie being set to true, my users get logged out after a few days of inactivity.
The app is deployed to AppHarbor, but I experienced the same behavior when it was hosted on a dedicated server.
What am I missing that would cause users to get logged out sporadically?
Your timeout is set to 2880 minutes, which is 48 hours?
timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
http://msdn.microsoft.com/en-us/library/ff647070.aspx