I have this ASP.NET web SPA web api project that uses BEARER TOKEN Authentication.
I have deployed it to a couple different places, locally and azure cloud, and I do NOT see this issue.
Because of budget reasons I decided to buy from a hosting company (winhost). When the site is running from this host only I only see the following issue.
The issue is after you have logged into the site and sit idle for X minutes the next request fails till you refresh and login. (I get a 401 (Unauthorized))
The expiration of the token seems to only be 10-20 minutes instead of 2 weeks (which works by default on azure and my visual studio local). I have also printed out the token when received and it is 2 weeks.
The behavior I'm expecting is the bearer token to be cached (which I have confirmed by logging the header), then be sent with the next request, which then is authorized and returns results.
This new host has some default IIS settings that I think is breaking it. I already had to change a few default settings, such as manually turning off basic auth through the IIS manager.
Any ideas?
The only thing I could find matching the description of what I am seeing is this link. ASP.NET Web API Authorization tokens expiring early
I would of commented on that post but I do not have high enough reputation points. Out of convenience I have copied that post below.
I have implemented security for my web api (individual accounts) as discussed here.
I have hosted the website on godaddy (shared hosting) and its working fine. When I ask for token by using url "domain.com/token", I get the token with expiration date of within 15 days. I have set this in "StartupAuth.cs" using
AccessTokenExpireTimeSpan = TimeSpan.FromDays(15)
e.g.:
{
"access_token":"qwertyuiop.....",
"token_type":"bearer",
"expires_in":1209599,
"userName":"user@example.com",
".issued":"Wed, 11 Feb 2015 01:00:00 GMT",
".expires":"Thu, 26 Feb 2015 01:00:00 GMT"
}
(I put values in above code, but you get the idea of the ".expires" field.
5 minutes after getting the token, when I try and access "get" or "post" or any method in my API by passing authorization: bearer token in header as:
Authorization: Bearer qwertyuiop.....
I get this error:
{"Message":"Authorization has been denied for this request."}
Although its just been 5 minutes and token is supposed to last 15 days, it expires within 5 minutes. When I request any method "get"/"post" within interval of 5 minutes, I get the proper response with my data in JSON. In short, authorization succeeds.
I have repeated this behavior by testing it via Fiddler, REST plugin of Chrome and via the mobile app which uses the API.
I have web.config values for session as below (I thought its related)
<sessionState timeout="180" />
Note that forms authentication is not used, so timeout on that section in web.config is not necessary.
Any idea what's going on? This timeout is causing the users of mobile apps which use the API to re-login every now and then. Any help would be appreciated.
Thanks.
