What is the best workaround for the ASP.NET forms authentication timeout problem when using wildcard mapping?

Question

My team is working on a crappy old website and most of the pages are still ASP classic. However, we've recently migrated to forms authentication using ASP.NET and wildcard mapping. Everything works surprisingly well except for one thing: logged in users are timing out too quickly. After looking in the logs it appears people are timing out exactly after 20 minutes (which is the specified timeout due to inactivity).

So, our hypothesis is that the ASP classic pages are not tripping whatever mechanism in the forms authentication framework that resets the inactivity timer. I've googled around and even read the wildcard mapping post by the Great Gu but still can't find anyone else who is having this problem. So, 1) Have you ever seen this problem? and 2) What's the best workaround? (other than manually placing a hidden frame in every janky ASP page that loads a dumb .NET page in the background)

Thanks in advance.

Update: slidingExpiration is set to true

Also: We can't use perpetual sessions because we need the application to time out after 20 minutes of inactivity. Also, this terrible site was written so that the interface is usually stored in the page. There's no simple piece of interface code I could slip the JavaScript into. We tried to put some js into an include file that was called by about 80% of our pages but it's caused some esoteric problems with file download buffers so we may have to try a different tack. Thanks.

Answer 1

Is slidingExpiration enabled?

Answer 2

Create a perpetual session.

Essentially you end up emitting some JavaScript and an image tag in your master page or navigation users controls (whatever you're using for consistent navigation). This JavaScript on some interval changes the source of the image tag to an http handler endpoint (some .aspx, .ashx) which returns a 1x1 pix clear gif as a response for the image. The constant request ensures that idle pages will keep the session alive.

As long as a browser window is open to your page your ASP.NET session will never time out.

Often the JavaScript will tack on a random number to the request so that the browser doesn't cache the request.

A decent walkthrough is available here: http://www.codeproject.com/KB/aspnet/SessionForever.aspx

HTH,
Tyler

Answer 3

I am assuming that you have manually created the cookie, in which case your timeout value in code is probably overriding your timeout value in the configuration.

First, if possible (which it probably isn't) don't create the cookie manually, it will save you from not only this headache but dozens of others.

If you must manually create the cookie, make sure that the timeout you are using is actually reading the timeout value that you have set in the configuration file and that sliding expiration is set to true (which you have said it was).

That said, we still have ocassional strange timeout problems when the cookies are manually created. Where I work we implemented a solution which allowed the cookies to be created automatically and timeouts were no longer a problem; however, it did create other issues and we were forced to switch back.