Forms authentication - sliding expiration

asp.net asp.net-mvc forms-authentication

10,437

Scott Hanselman has detailed it here.

http://www.hanselman.com/blog/WeirdTimeoutsWithCustomASPNETFormsAuthentication.aspx

You may need to look into iisidle time out

https://technet.microsoft.com/en-us/library/cc771956%28v=ws.10%29.aspx

Got help at asp.net forums to fix the issue.

10,437

Author by

learning...

Senior Applications Developer @ National Research Center for College & University Admissions (NRCCUA) http://shapingourfuture.org/ http://DataLab.nrccua.org/ http://www.mycollegeoptions.org/ http://m.mycollegeoptions.org/ http://www.nrccua.org President http://www.ITplate.com Technical Footprint: http://itplate.blogspot.ca/ Skillset Areas C# VB.Net WCF ASP.NET / MVC IIS CSS HTML / 5 JavaScript jQuery SQL Server / TSQL Tableau Kentico

Updated on June 04, 2022

Comments

learning... almost 2 years

I think my sliding expiration is not happening and the people keep getting logged out after just a few minutes. Here is my setup, slidingExpiration is set to "true" and timeout i updated to "60" instead of 20 for testing purposes.

<authentication mode="Forms">
      <forms name="Lab.ASPXFORMSAUTH" loginUrl="~/Login" enableCrossAppRedirects="true" cookieless="AutoDetect" domain="lab.org" slidingExpiration="true" protection="All" path="/" timeout="60" />
    </authentication>

and here is the login code. If remember me is selected then the ticket expiration time will be one year from nw other wise it will be 20 mins from now.

private static void LoginUser(User user, bool isRememberMe)
        {
            //Forms Authentication
            var expiryDateTime = isRememberMe ? DateTime.Now.AddYears(1) : DateTime.Now.AddMinutes(20);

            var ticket = new FormsAuthenticationTicket(
                    1, // Ticket version
                    user.UserId, // Username associated with ticket
                    DateTime.Now, // Date/time issued
                    expiryDateTime, // Date/time to expire  DateTime.Now.AddYears(1)
                    isRememberMe, // "true" for a persistent user cookie
                    JsonConvert.SerializeObject(user.Roles), // User-data, in this case the roles
                    FormsAuthentication.FormsCookiePath); // Path cookie valid for

            // Encrypt the cookie using the machine key for secure transport
            var hash = FormsAuthentication.Encrypt(ticket);
            var cookie = new HttpCookie(
                FormsAuthentication.FormsCookieName, // Name of auth cookie
                hash); // Hashed ticket

            // Set the cookie's expiration time to the tickets expiration time
            if (ticket.IsPersistent)
            {
                cookie.Expires = ticket.Expiration;
            }

            // Add the cookie to the list for outgoing response
            HttpContext.Current.Response.Cookies.Add(cookie);
        }

Looks like i have some disconnect going on between the web.config and the ticket expiry time. Do you see what i am doing wrong here? Thanks

Update #1:

Tested the dev site, logged in (FF and chrome) then refreshed the page after 5 mins and it kept me logged in. Then refreshed the page after 14mins and it redirected me to login page.

Tested the prod site (2 servers - load balanced), followed the dev site refresh interval, kept me logged in.