Forms Auth premature cookie expiration - asp.net

I'm having trouble with a site that just went to production. For some reason, although the settings seem to be correct for a 15 minutes session timeout, users are reporting that in about 5 minutes they have to log in again.
What can I check? how can I troubleshoot this? I can't reproduce it locally, or in our QA environment. Are there IIS settings I could check? browser settings on the client?
below is my web.config entry for the authentication. Thanks!
<authentication mode="Forms">
<forms loginUrl="~/admin/Login" cookieless="UseCookies" requireSSL="false" timeout="15" slidingExpiration="true" name="{C8226EAB-2423-45ce-8A1D-3BC227F1BEE9}"/>
</authentication>

You'll need to add a machine key to your web.config file. It' getting autogenerated with each app pool recycle and causing your auth ticket cookie values to fail.
This is similar to the following question:
figuring out why asp.net authentication ticket is expiring

Well I think that you need also to set the settings of domain name. Do not set www.yourdomain.com, because this way if a user get on yourdomain.com is get diferent cookie.
Set it to root name with our the www: yourdomain.com
<authentication mode="Forms">
<forms
path="/"
domain="yourdoman.com" // <- maybe this key is the reason
/>
</authentication>

Make suer the session is set to at least 15 minutes as well in IIS Manager.

Related

Session Timeout doesnt work in ASP .Net

I have checked various questions asked in SO in this topic also tried the solutions provided for the various questions, but it doesnt work for me.
My application is ASP .Net4.5, I store username, usertype in session and later it is used while inserting data to the SQL tables. I have set the session time out in webconfig as follows.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".mycookie" timeout="60"></forms>
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="60" />
In the IIS settings against Sessionstate the following were set
SessionState = In Process
Cookie settings -> Mode = Use Cookies
Name = ASP.Net_SessionId
Timeout (min) = 60
I'm not sure whether I'm setting this in wrong way in the above settings. The issue is my application session timeouts much before the set time, I feel it gets timeout in 10-15 minutes. Please advise how to set the timeout value correctly.
Probably, you are getting problem with form authentication timeout and session timeout. Please see here.
Try this in web config file.
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="60" />
</system.web>
I tried setting session timeout, but it didnt worked for me. I decided to store those session variables used in cookies, and read from cookies. Now there is no session timeout issue. I clear the cookies while login to the application, also set the expiry to 1 day to avoid any issue. Thanks for helping me.

Session and Authentication Timeout don't work

I set Sessionstate an Authentication Timeout in web.Config like below , but users are logout less than 20 minutes
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx" loginUrl="~/Login.aspx" name="Login" timeout="43200" slidingExpiration="true"/>
</authentication>
<sessionState timeout="43200"></sessionState>
First of all I would like to clarify that Authentication has very little to do with Session.
Every time a new user hits the website the session starts.
And the amount of time that the authentication cookie is good for on the user's browser is defined by authentication time out.
You can also try to set the Session timeout by Going to IIS and setting Session timeout there as well
You should disable or increase the application pool timeout in IIS - web site properties.
Regards

MVC3: How to stop session expiring after 30 mins?

I am trying to change the time it takes for my session to expire. My views are verifying session with <Authorize()>, which works great.
I am doing my session creation as follows:
FormsAuthentication.SetAuthCookie(model.UserName, True)
Return RedirectToAction("Welcome", "Home")
My password is verified with
FormsAuthentication.Authenticate(username, password)
My route web.config has inside system.web
<sessionState timeout="7200"></sessionState>
MY authorization node is as follows:
<authentication mode="Forms">
<forms loginUrl="~/Home/Login" timeout="7200" cookieless="UseCookies" name=".LoginCookie" slidingExpiration="true" >
<credentials passwordFormat="Clear">
<user name="user" password="pass" />
</credentials>
</forms>
</authentication>
Once logged in I can even verify the specific cookie 'LoginCookie' is set to expire in a few days, yet still, if I am inactive for 30 minutes, my user is getting sent to the login page.
Finally, this appears to work fine in Visual Studio, as it always has for sites I have done, but for some reason once in IIS it doesn't (production environment).
Any help on something I may have missed is really appreciated.
That's probably when your IIS apppool is set to recycle. Cache variables are then lost unless they are stored in SQL server or State Server.
Check the settings in the AppPool within IIS. You can extend the idle timeout if required.
Also read this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;324772

Sharing asp.net authentication on different apps on different sub-domains

I have 2 applications. One on asp.net webforms main.test.com which should provide authentication, user logs in and I can use the cookie to authenticate on my asp.net mvc app located at myApp.test.com.
All I'd like to do is able to access the cookie so I can get the userId that was stored in it using the FormsAuthentication.
They use normal authentication provided by microsoft;
<authentication mode="Forms">
<forms domain="test.com" loginUrl="Default.aspx" protection="All" path="/" requireSSL="false" timeout="45" name=".ASPXAUTH" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>
This cookie should be accessible to any submain on test.com right?
Make sure you set your machine keys in each application so they can each decrypt each others data.
http://msdn.microsoft.com/en-us/library/ff649308.aspx
Then make sure you have set your cookie name and path the same in each. Job done, an auth ticket generated in either application should span them both
http://msdn.microsoft.com/en-us/library/ff647070.aspx
Edit: Forgot a bit:
In your web config also set the domain attribute of the httpCookies node to test.com
in the form tag add
domain=".test.com"

Best way to keep ASP.Net Session Active

What is the best way to keep asp.net or asp.net mvc session active until user logs out?
*User should be able to activate session even after browser or computer restarts...
In another words, what is the best way to implement REMEMBER ME...
You can set the timeout setting to a higher value, but you can't make the difference between a session_end caused by a timeout or by a user that ends his session.
The solution to your problem is probably to restore the user's session in the session_start method in Global.asax.
You can use membership provider for this purpose and set a cookie file at the user browser and check it for authentication
Another idea is to send keep-alive request in background via iframe / ajax / image tag every minute or so.
The best way to be able to do this is to use cookies in your authentication strategy to indicate that a user is logged in. Set your website to use forms authentication, and set the pertinent attributes to use cookies. It can be done in your Web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
For more information read this: How To: Use Membership in ASP.NET 2.0

Resources