Asp.net membership logout automatically

Question

Hi,

I recently deploy an application that uses asp.net membership (SqlMembershipProvider) and I dont know why but it automatically log out after 1 minute of inactivity. This doesn´t happen on my development environment. I even set the userIsOnlineTimeWindow to 60 which is supposed to be in minutes. Any ideas why this is happening?

Im deploying to a virtual directory on a shared hosting environment. Here is how I set up the membership provider

<membership defaultProvider="FaceMoviesMembership" userIsOnlineTimeWindow="60">


<providers>
<clear/>
<add name="FaceMoviesMembership" type="System.Web.Security.SqlMembershipProvider" connectionStringName="FaceMoviesAuthConnectionString" 
         enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" maxInvalidPasswordAttempts="10" 
         passwordAttemptWindow="60" requiresUniqueEmail="false" passwordFormat="Clear" applicationName="FaceMoviesWeb" 
         minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0"/>


</providers>

Answer 1

Found the solution on this Blog. Here's an abstract:

It is well known that you need to specify the same machine key entry when running in a web farm. This is due to the fact that things such as FormsAuthTicket or the AntiForgeryToken in ASP.NET MVC by default use the machine key values for encrypting details. Otherwise the user will be redirected back to the login form or validation will fail, when they are load balanced to a different server. This occurs when the decrypted results do not match the cookie in the case for FormsAuth. Causing the user to keep wondering why he’s having to sign-in over and over.

Having encountered this problem with 2 different web host providers, it turns out hosting providers spin up several virtual instances of your app. This recreates the web farm scenario.

Answer 2

As stated, your problem could be an instancing issue.

The dynamically generated machineKey, which is used for encryption/decryption/hashing, is going to be different on every machine resulting in tickets that are not recognized by different instances of your application.

Explicitly specifying a machineKey section in your web.config will ensure that all instances of your application will honor a ticket regardless of source.

Generate a machineKey section here http://www.developmentnow.com/articles/machinekey_generator.aspx

and paste it into the <system.web> section of your app so that all instances of your app will use the same encryption keys.

This may solve your problem.