While deveoping a site (using Forms authentication and InProc sessionstate) a frequently run into a scenario where I lose the variables stored in Session (such as Session["myVar"]), but my auth-session remains valid.
This results in some wierd behavior on my site.
Why is this happening and what can I do to prevent diffrent lifecycles for my auth and my session variables?
In Asp.Net a Session and "Being logged in" are not the same thing.
Both are (usually) controlled by cookies, but the cookies are separate.
To control how long a Session is kept alive, please see answer by Jonas T.
To control how long a user remains logged in, you can use the timeOut on the <forms ... /> element:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="120" slidingExpiration="true"/>
</authentication>
...
</system.web>
To get rid of your problem you should make sure that the session timeout is at least as long as the forms authentication timeout.
If you are allowing persisted cookies in forms authentication ("Remember me"), then there are no gurantees. In that case you just have to set the session timeout to "long enough" according to some criteria/specification.
Edit: Also check the settings on your application pool (under IIS) where the site is deployed. And specifically check what the "Idle Time-out" is. If this is set low (default value is 20 minutes I think), then IIS will shut down the application pool if no request have come in during that time. That (of course) terminates whatever in-proc sessions existed.
Forms Authentication stores its ticket in Cookie at client side or URL(if cookie is disabled).
Session variables are stored at server side with expired time. If you want your variable to be more persistent use cookie.
You can extend your session time out in web config. This is for 20 minutes.
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
You said that you are working with ASP.NET Form authentication/authorization then I'd suggest you to use Profile instead of Session state.
Related
I have a asp.net website hosted on the server. On localhost session timeout is working but on server it is not working (Around only 5 min).
I am using following code.
<sessionState
mode="InProc"
timeout="100" />
Please help me.
In some cases, when you increase session timeout, then run web application, session will still expire. There could be few possible reasons for this.
Notice that session timeout should be less than Application pool idle timeout, so if you increase session timeout, you have to increase application idle timeout too. Otherwise, application will get recycled. If application is recycled, sessions will expire automatically.
Also, if you use Forms Authentication, you'll probably need to increase forms timeout too, using markup code in web.config like this:
<system.web>
<authentication mode="Forms">
<forms timeout="60"/>
</authentication>
...
</system.web>
getting more info..see this link http://www.beansoftware.com/ASP.NET-Tutorials/Session-Timeout-Expiration.aspx
And for keep alive your session timeout..find this example for that..
http://www.beansoftware.com/ASP.NET-Tutorials/Keep-Session-Alive.aspx
Set your session timeout minutes in IIS settings of your website on your server.
For IIS steps follow this https://technet.microsoft.com/en-us/library/cc725820(v=ws.10).aspx
Due to the complex business logic, I had to implement myself the authentication. I'm storing the authentication with:
FormsAuthentication.SetAuthCookie(identifier,false);
The False is to indicate that we don't want to have persistent cookie
I've to also store in session some informations(one information that the user has to enter to login, indicating for which set of data he wants to access).
I'm storing those data through model binder.
It's working fine most of the time. But sometime after an inactivity period, we are still logged but we don't have any data in session.
I would like that the duration of my session is the same than the login session, to avoid this kind of "I'm logged but I've lost some data in the session".
I don't need/want to have a persistent connection.
How should I proceed to have this system?
I believe the FormsAuthentication uses its own timeout. You can configure your web.config accordingly:
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="50" />
</system.web>
In fact, There was a Session timeout by default in the IIS Application pool, so, to avoid this problem:
Go on IIS Manager
Go on the ServerName/Application Pools tab
Right click on the concerned application pool
Click on Advanced Settings,
In the section "Process Model", put an higher value in the "Idle Time-out"(this is in minutes
Click on OK
Restart the application pool
For me, this + the Yannis config(setting the same value for the form timeout+session state timeout) worked.
My session renews every 20 minutes. I've set timeout to 300 minutes but still it renews probably because Application Pool recycles.
I am storing UserId which is Guid in Session which returns null. Problem is when I use Membership using
Membership.GetUser().ProviderUserKey
it works fine. But obviously it makes a database call. How can I prevent this problem from happening? Why does Membership.GetUser().ProviderUserKey succeeds whereas Session doesn't?
In order to complete Jan's and Neil's answers, you should look at your web.config and set both timeouts (sessionState and authentication)
<sessionState timeout="300"/>
Sessionstate timeout specifies the number of minutes a session can be idle before it is abandoned. The default is 20.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="300" />
</authentication>
Forms timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
Your session may still be alive (if you set it to 300 minutes) but the ASP.NET membership could be expiring?
Have you increased the authentication timeout too?
<authentication mode="Forms">
<forms loginUrl="Login/" timeout="180"/>
</authentication>
You are mixing authentication and session. These are two completely different concepts.
GetUser() return the currently authenticated user form your MemberShipProvider.
Session and authentication have different timeouts - so its valid that your session times out but the user is still authenticated.
I have a wired scenario in one of my ASP.net application.
I am using ASP.net membership with my custom "roleManager",
and having below tag in web.config to restrict any user not having role of "Keywords"(roles) to access "Keywords"(path) folder
<location path="Keywords">
<system.web>
<authorization>
<allow roles="Keywords"/>
<deny users="*" />
</authorization>
</system.web>
</location>
If any user with some other role allow to assess this URL (Keywords in this case) will be redirected to a custom- Access denied page.
Now things working fine but when I left my application with a inactivity of 30 min I am not able to visit the "Keywords", all the time I end up with the custom- Access denied page, if I close the browser, login again it start working fine.
Please help me in this case.
Thanks in advance
ASP.NET sessions time out after 20 minutes by default, I think.
You can extend this by specifying a longer time (in minutes) in the Web.config:
<system.web>
<sessionState timeout="60"/>
...
</system.web>
If you are authenticating via Forms, you should raise the authentication cookie timeout value to match.
Also bear in mind that, when running the site under IIS, you should probably extend the application pool's idle timout to something similar. If you don't do this, the HttpApplication instance for your ASP.NET site will be unloaded, destroying any active sessions in the process.
Usually, the first and easiest thing to do is just change the configuration/system.web/sessionState#timeout value to something like “90″
<sessionState timeout="90" />
it still appears to be timing out after 20 minutes.
*This doesn’t make any sense, it explicitly says that the session timeout should be exactly 90 minutes.*
There’s a couple of issues that are tied together here:
The application pool’s worker process default idle timeout is also
set to 20 minutes
The default mode of storing session state is in the IIS process
The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.
Ensure the value of "Idle-Time-out(minutes)" is set to the timeout of your session, at a minimum (ex 90), to ensure that all sessions persist for the entire session timeout period.
try this solution if still there is a problem refer to this article it tell more option to try
http://asp-net.vexedlogic.com/2012/05/23/aspasp-net-session-timeout-how-do-i-change-it/
I'm trying to increase the timeout on all sessions. The site is hosted with Godaddy, and it is written in Flash (client side of course) and asp.net on the backend. I've added this to my web.config,
<sessionState timeout="720">
</sessionState>
Is that really all that I need to do? I'd prefer to not let sessions expire ever, but I'm sure that the server needs to reclaim that memory at some point...I'm not storing anything in the session, really, just using it to track users' progress through the site, and if a user is logged in or not.
Thanks for any pointers...all the documentation seems deceptively simple, and it kind of makes me nervous...
Yup!
As in; Yes, that's the only thing you need to do...
To get "never ending timeouts" you'd have to create a background HTTP request (which will transmit the session cookie) back to the server every 719 minute though. Though theoretically then you'd also have to have "Out of Process" sessions using e.g. some sort of database or something...
Or you could roll your own session handler, I think APS.NET have support for this through using some sort of adapter pattern or something, but I am not sure. Then you could have a "truly" never ending session...
If you are using Forms Authentication you will also need to set the Forms Authentication Timeout in your web.config
Example:
<authentication mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="/Home/Default.aspx"
defaultUrl="/Dashboard/Default.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
/>
</authentication>