0

I'm using forms authentication on my mvc project, and it seems that no matter what I do. You can only stay logged in for one day then it requires you to log in again.

In my web.config, I set the timeout to a week in minutes.

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="10080" defaultUrl="/kpi" slidingExpiration="true" />
</authentication>

And here is where I'm setting the cookie.

var cookie = FormsAuthentication.GetAuthCookie(account.UserName, account.RememberMe);
if (account.RememberMe)
    cookie.Expires = DateTime.Now.AddDays(7);
Response.Cookies.Add(cookie);
var returnURL = FormsAuthentication.GetRedirectUrl(account.UserName, account.RememberMe);
var hashData = Request.Form["HashHidden"];
Smeegs
  • 9,151
  • 5
  • 42
  • 78

2 Answers2

2

Everytime IIS recycles the app, a new machine key is generated. Your auth ticket is signed using that machine key, so when a new one is generated, the auth ticket is no longer recognized. You need to set a static machine key in your web.config.

http://aspnetresources.com/tools/machineKey

mituw16
  • 5,126
  • 3
  • 23
  • 48
  • This sounds like the right track. I checked my app pool, and it's set to recycle every 29 hours, which does match up. Do I just drop the generated key into the configuration section of web.config? – Smeegs Apr 15 '14 at 13:46
  • Yup, just paste it into the `` portion of the web.config – mituw16 Apr 15 '14 at 13:47
  • Okay, so this is definitely the answer. I've pushed it to the server and recycled the app pool and I stay logged in. But the problem is that I can't debug my solution any more. I get this error `It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. ` Would you know how to work around this? – Smeegs Apr 15 '14 at 14:03
  • That's odd. I've never encountered that when setting a machine key. That seems like an IIS configuration / web.config error to me. Unfortunately, I don't know how to help with that one. – mituw16 Apr 15 '14 at 14:05
  • http://stackoverflow.com/questions/2355947/error-allowdefinition-machinetoapplication-beyond-application-level Maybe one of these might help? – mituw16 Apr 15 '14 at 14:06
  • Yeah, I've looked through that thread and nothing worked. I've seen a few people say that I have to turn the folder into an application in iis, but that's way too kludgey for me. especially if anybody tries to grab this solution from source control. – Smeegs Apr 15 '14 at 14:09
  • 1
    Got it working. I deleted the setting, and went through IIS to generate the machinekey. I added that key to my web.config in my test environment and everybody's happy. Thanks again. – Smeegs Apr 15 '14 at 14:28
0

You need to set the AuthCookie with FormsAuthentication.SetAuthCookie(username, persistent) See http://msdn.microsoft.com/en-us/library/twk5762b(v=vs.110).aspx

And set the proper timeout in your web.config

  <system.web>
     <authentication mode="Forms">
             <forms timeout="10080" slidingExpiration="true"/>
     </authentication>
  </system.web>
matthijsb
  • 909
  • 5
  • 12
  • Thanks for the response, but I'm using `GetAuthCookie` which does the same, but returns the cookie instead of setting the cookie for me. – Smeegs Apr 15 '14 at 13:43