tags:

views:

569

answers:

3
+2  Q: 

figuring out why asp.net authentication ticket is expiring

I need help figuring out why my authentication ticket is expiring after about an hour on my hosted website. But if I run the site locally the authentication ticket stays alive for the correct amount of time.

This is my localhost web.config:

<authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="20160" slidingExpiration="true" path="/" />
</authentication>

and this is my hosted web.config:

<authentication mode="Forms">
 <forms loginUrl="~/Account/LogOn" timeout="20160" slidingExpiration="true" domain=".mywebsite.com" path="/" />
</authentication>

I know the authentication ticket is being created because:

  • I can see it in the browser cookies
  • I stay logged in even after closing the browser and reopening
  • I stay logged in even after website recycles (changing and saving web.config to recycle it)

When I check the cookie expiration date in the browser it's 2 weeks later. However, after about an hour my authentication always expires.

What can I do to figure out why the hosted website's authentication is expiring so early? I don't know how to go about resolving this problem since it's my hosted website that is the only one having problems.

Update 1: After waiting 1 hour, I check my browser and I see the cookie still exists. In fact it's expiration date is set for 2 weeks later. But if I reload the page or try going to any pages that requires authentication I am taken to the login page.

A: 

I would try several things in troubleshooting this:

  • IIS version & settings between your localhost & hosting. Most likely there are some differences in application pool setting
  • In IIS 7, there is a special setting for this: read here
Johannes Setiabudi  2009-05-14 13:03:29
I couldn't tell from the link for IIS 7 but does this override the settings I specify in my web.config?
codette  2009-05-14 18:46:29
I am not sure. but you probably want to try to config the IIS
Johannes Setiabudi  2009-05-15 13:23:50
A: 

Have you asked your hosting provider if the machine.config has this set to a diferent value? Settings on machine.config will override the web.config.

Radu094  2009-05-14 13:17:14
Yes they showed me the machine.config and I don't see any authentication section in there. So I am assuming that means my web.config values are what's taking effect.
codette  2009-05-14 18:45:25
+1  A: 

I added a machinekey entry in system.net. Something like this:

 <machineKey validationKey="aaa"
 decryptionKey="bbb" validation="SHA1" />

and now it keeps the user logged in. However, now it seems like I am having performance issues. The page used to take roughly 500ms to load now takes about double that time.

codette  2009-05-16 22:04:09
I had exactly the same problem and this fixed it. I specified only the validationKey and it did the trick without performance penalty. The only explanation I can come up with is that the auto-generated key (which is the default if you don't specify an explicit key) is changing for some reason every now and then.Because the documentation of this seems to be really poor, here's how to do it: Add the <machineKey> tag inside web.config's <system.web> and set the validationKey to a random string of hexadecimal characters (0-9 and A-F). The total string length should be exactly 128 characters.
smt  2009-09-24 09:17:15
My joy was premature. The problem persists, so adding an explicit validationKey didn't help after all. No idea how to fix this other than dumping the whole FormsAuthentication stuff and implementing a custom authentication system.
smt  2009-09-25 15:49:58

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps