tags:

views:

642

answers:

4
+3  Q: 

Forms Authentication timing out when it shouldn't?

I have a problem with an ASP.NET application that is driving me nuts.

When a user leaves a page inactive for a period of time the session was timing out and error were being thrown due to session variables not being resolvable (I will error trap this anyway but this is not the problem). I coded a 'defribulator' which will perform an invisible postback after half of the session timeout has expired and this seemed to work fine - leaving the application for 30 mins did not cause an error even though the session timeout was set for 20 mins. However, this morning one of the other Devs experienced a timeout - How is this possible?

On further investigation I think that the problem occurs when the Forms Authentication timeout is exceeded - even though the defribulator has been (apparently) keeping the session alive. I have read that the Authentication ticket will only be reissued if a postback occurs after half of the specified timeout period has elepsed and this can't the issue as the defrib will have issued requests during the second half of the timeout period - so why was it not reissued?

I suppose I could get around the problem by setting the authentication timeout to 8 hours or so but that is a poor fix.

Can anyone shed any light on this?

Thanks in advance

[Edit 24/11/2008] Reviewing the Log Files has proved enlightening and confusing. I can see the defribulator firing after 10 minutes of inactivity but while the Session_Id appears to be consitent throughout, the forms authentications ticket ID changes - not sure if it is supposed to or not. I'm formulating a test plan now and will post back when i have completed them. Thanks to everyone who have provided feedback so far.

[Edit 24/11/2008] Well I'm stumped - everthing seems to be working fine at the moment! The Authentication ticket is being regenerated when the defrib runs (the ID changes) and the session is being maintained. Was it a server issue - can't tell. I have experienced this problem before and never got to the bottom of it and it is very frustrating - surely it should not be this difficult. I'm going to have to let this drop for the timebeing as I have to get on with some other aspects of the application. I'll just have to code around this issue - which may never occur on the customer site.

Thanks again for everyones input - if I make any progress I will post it back here.

+5  A: 

This may also happen when iis recycles or terminates the application pool.

You may want to check Troubleshoot Forms Authentication It could be that the client lost their cookie.

If you manually generate the authentication ticket, you need to set the timeout in code and not the web.config

Aaron Fischer  2008-11-21 15:01:13
Is there anyway of handling this so that authentication/session is not lost?
DilbertDave  2008-11-21 19:05:12
Your suggestion led me to this article which may help me (I'll have a look on Monday)http://msdn.microsoft.com/en-us/library/ms972429.aspx
DilbertDave  2008-11-21 19:14:25
My team has been having problems with session timeouts and Dave's link was extremely helpful, thanks DilbertDave!
Jeremy Bade  2008-11-22 03:14:51
+1  A: 

Don't mean to state the obvious, but:

  1. Are the Session and FormsAuthentication timeouts set to the same value?
  2. Is slidingExpiration set to true?
 2008-11-21 15:02:56
A: 

Thanks for the response guys: I have already explicitly set slidingExpiration to true in the web.config with no effect.

The timeout values are: Session: 20 minutes FormsAuthentication: 60 minutes

I have left the session timeout as is and reduced the FormsAuthentication to 12 minutes for testing. The defrib 'pings' every 10 minutes. If I leave the page inactive for 14 minutes and then click a button I get the problem #edit: but not everytime it seems!#.

DilbertDave  2008-11-21 15:09:58
+1  A: 

Have you checked against an application pool or worker process recycling causing the problem?

JB King  2008-11-21 19:33:32
Not yet - it was suggested yesterday after I left work so I will look on Monday. Would this cause the forms authentication to drop - I though that was cookie based.
DilbertDave  2008-11-22 15:33:52
This could have been the problem (which seems to have gone away now!) but I cannot be sure. Nothing in Event Logs :-(
DilbertDave  2008-11-24 13:42:02
Even if it is cookie based, how is the cookie being decrypted properly if the machine is changing what keys it used to encrypt the cookie? Course that is a bit of an assumption but it was something I've seen when using Forms authentication.
JB King  2008-11-24 17:29:12

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps