开发者

ASP.NET Webforms site using HTTPCookie with 100 year timeout times out after 20 minutes

开发者 https://www.devze.com 2023-01-03 00:16 出处:网络
I have a site that is using Forms Auth. The client does not want the site session to expire at all for users. In the login page codebehind, the following code is used:

I have a site that is using Forms Auth. The client does not want the site session to expire at all for users. In the login page codebehind, the following code is used:

//开发者_C百科 user passed validation
FormsAuthentication.Initialize();

// grab the user's roles out of the database 
String strRole = AssignRoles(UserName.Text);

// creates forms auth ticket with expiration date of 100 years from now and make it persistent
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1,
  UserName.Text, DateTime.Now,
  DateTime.Now.AddYears(100), true, strRole,
  FormsAuthentication.FormsCookiePath);

// create a cookie and throw the ticket in there, set expiration date to 100 years from now
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
  FormsAuthentication.Encrypt(fat)) { Expires = DateTime.Now.AddYears(100) };

// add the cookie to the response queue
Response.Cookies.Add(cookie);

Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));

The web.config file auth section looks like this:

<authentication mode="Forms">
      <forms name="APLOnlineCompliance" loginUrl="~/Login.aspx" defaultUrl="~/Course/CourseViewer.aspx" />
</authentication>

When I log into the site I do see the cookie correctly being sent to the browser and passed back up:

HttpFox output http://cid-e79f8e4b07c3e30f.office.live.com/embedphoto.aspx/Public/SessionProblem.png

However, when I walk away for 20 minutes or so, come back and try to do anything on the site, the login window reappears. This solution was working for a while on our servers - now it's back. The problem doesn't occur on my local dev box running Cassini in VS2008.

Any ideas on how to fix this?


Session timeout and Forms Authentication timeout are two separate things. Is the Session timeout set to 20 minutes, and would it be logging your users out in the Session_End event in Global.asax file by any chance?


By default, app pools in IIS 6 are set to shut down after 20 minutes of inactivity. If there's nothing in your app configuration that's causing your app to shut down that quickly, check the app pool configuration in the IIS Manager. There are lots of wonderful knobs you can set in there.


Well I do have the following in Global.asax:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        //Fires upon attempting to authenticate the use
        if (!(HttpContext.Current.User == null))
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity.GetType() == typeof(FormsIdentity))
                {
                    FormsIdentity fi = (FormsIdentity) HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket fat = fi.Ticket;

                    String[] astrRoles = fat.UserData.Split('|');
                    HttpContext.Current.User = new GenericPrincipal(fi, astrRoles);
                }
            }
        }
    }

Is that what you're referring to? Also, we're in an IIS6 environment if that makes any difference.


Another quick thing to check might be your hosting type. Cloud hosting will generally have a load balancer that is hard set to keep the same IP pointed to a node server for ~20mins, however after this time you might be pushed to a new server creating a new session on the new server and 'logging you out'

If your on standard shared hosting or a single dedicated server or virtual server however this won't be the problem :)

To get around this and keep the asp.net sessions working you need to move session state to a database - or re-tool your code to not use sessions at all :)


You might want to check whether you are using a load balancer. If so, then really you shouldn't be storing InProc. Should be looking into a state server or sql server if you have more than one entity.

Based on the issue, it seems that the default of 30 minutes isn't being adhered to either, which generally points to IIS/Hosting/Network configuration.

0

精彩评论

暂无评论...
验证码 换一张
取 消