tags:

views:

30

answers:

3
Q: 

ASP.NET Webforms site using HTTPCookie with 100 year timeout times out after 20 minutes

I have a site that is using Forms Auth. The client does not want the site session to expire at all for users. In the login page codebehind, the following code is used:

// user passed validation
FormsAuthentication.Initialize();

// grab the user's roles out of the database 
String strRole = AssignRoles(UserName.Text);

// creates forms auth ticket with expiration date of 100 years from now and make it persistent
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1,
  UserName.Text, DateTime.Now,
  DateTime.Now.AddYears(100), true, strRole,
  FormsAuthentication.FormsCookiePath);

// create a cookie and throw the ticket in there, set expiration date to 100 years from now
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
  FormsAuthentication.Encrypt(fat)) { Expires = DateTime.Now.AddYears(100) };

// add the cookie to the response queue
Response.Cookies.Add(cookie);

Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));

The web.config file auth section looks like this:

<authentication mode="Forms">
      <forms name="APLOnlineCompliance" loginUrl="~/Login.aspx" defaultUrl="~/Course/CourseViewer.aspx" />
</authentication>

When I log into the site I do see the cookie correctly being sent to the browser and passed back up:

HttpFox output

However, when I walk away for 20 minutes or so, come back and try to do anything on the site, the login window reappears. This solution was working for a while on our servers - now it's back. The problem doesn't occur on my local dev box running Cassini in VS2008.

Any ideas on how to fix this?

+1  A: 

Session timeout and Forms Authentication timeout are two separate things. Is the Session timeout set to 20 minutes, and would it be logging your users out in the Session_End event in Global.asax file by any chance?

womp  2010-06-11 20:23:50
A: 

Well I do have the following in Global.asax:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        //Fires upon attempting to authenticate the use
        if (!(HttpContext.Current.User == null))
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity.GetType() == typeof(FormsIdentity))
                {
                    FormsIdentity fi = (FormsIdentity) HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket fat = fi.Ticket;

                    String[] astrRoles = fat.UserData.Split('|');
                    HttpContext.Current.User = new GenericPrincipal(fi, astrRoles);
                }
            }
        }
    }

Is that what you're referring to? Also, we're in an IIS6 environment if that makes any difference.

Rob  2010-06-11 20:29:16
That looks fine. I mean that there are two separate timeouts - one for your authentication ticket, which is set to 100 years. But there is a Session timeout as well, which by default is set to 20 minutes, so it sounds to me like it is affecting something. A common pattern is to hook up the Session_End event to a handler in Global.asax that will log a user out of their formsauth ticket when their session expires.
womp  2010-06-11 20:35:21
Right - I don't have that type of thing. Is there a way to force Session timeout to nothing or infinity so it defaults to the HTTPCookie?
Rob  2010-06-11 20:39:44
The Session timeout can be set in the web.config: http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx. <sessionState timeout="525600" /> It can't be set for longer than 1 year, however.
womp  2010-06-11 20:55:56
Added <sessionState mode="InProc" timeout="525600" /> to the web.config - still dumps out after 20 minutes :-(
Rob  2010-06-11 22:23:59
A: 

By default, app pools in IIS 6 are set to shut down after 20 minutes of inactivity. If there's nothing in your app configuration that's causing your app to shut down that quickly, check the app pool configuration in the IIS Manager. There are lots of wonderful knobs you can set in there.

Andrej Marjan  2010-08-19 14:45:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps