6

I am using ASP.NET identity membership. This is the Startup.Auth.cs code:

 app.CreatePerOwinContext(EFDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),  
            ExpireTimeSpan = TimeSpan.FromHours(3),
            CookieName = "MyLoginCookie",

            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

            }
        });

As you can see I've set expiretimespan to 3 hours, but on the production server it doesn't work; it expires in about ten minutes. When I inspect elements MyLoginCookie still exists. On localhost it works fine. Why does it have problems on the production server? Do I need to set CookieDomain?

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
user3857731
  • 599
  • 1
  • 6
  • 18
  • `It expires about in ten minutes` - what are the circumstances in which this happens? Is it 10 minutes of inactivity or is the client actively executing requests and 10 minutes after initial logon it still expires? What is the expiration date/time of the cookie in the browser (should be viewable with your browser dev. tools)? What browser(s) have you tried? `on production server it doesn't work` - where does it work as expected (just locally or on a test server)? Anything else you can provide to give more insight? – Igor Mar 28 '16 at 13:01
  • (porduction)If user doesn't send http request about in ten minutes, he logs out. Locally i was inactive about 30 minutes but when i back i was till logged in. I am using google chrome , and on inspect element MyLoginCookie expire time is N/A, on both local and production server – user3857731 Mar 28 '16 at 13:04
  • Have you looked at [this write up](http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/) yet? It does a good job at explaining the differences and expected behavior of the timeouts. – Igor Mar 28 '16 at 13:08
  • Yup, i've read. Maybe it's an iis problem, but dont know. It works fine on local :( – user3857731 Mar 28 '16 at 13:09
  • Dont have any ideas? :/ – user3857731 Mar 28 '16 at 13:17
  • IIS has an app pool recycle time that defaults to 20 minutes (I think). If you have anything stored in memory like Session State it might be a factor. This is not user specific but app specific, so if no requests come in for XX minutes the app pool shuts down and is recycled on the next request. – Igor Mar 28 '16 at 13:22
  • How to check if it's a problem? – user3857731 Mar 28 '16 at 13:24
  • https://technet.microsoft.com/en-us/library/cc771956(v=ws.10).aspx – Igor Mar 28 '16 at 13:25
  • Well it's not a problem – user3857731 Mar 28 '16 at 13:39
  • what version of ASP.NET Identity version are you using, may be your problem is this issue: http://stackoverflow.com/questions/23983726/expiretimespan-ignored-after-regenerateidentity-validateinterval-duration-in-m – Ivan Yuriev Mar 28 '16 at 14:48

1 Answers1

11

The reason for users logging off is because of error in validation of forms-authentication data and view-state data. It could happen for different reasons including using web farm in hosting services.You should check <machineKey> in your project webconfig. Check here for details about that. If you don't have<machineKey>in your webconfig, try adding this piece of code after <system.web> in your webconfig:

    <machineKey 
    validationKey="AutoGenerate,IsolateApps"
    decryptionKey="AutoGenerate,IsolateApps"
    validation="HMACSHA256"
    decryption="Auto"
    />

The other option is using generated ASP.NET Machine Key inside webconfig. There are some online tools which my recommended ones are this and this.

Hadee
  • 1,392
  • 1
  • 14
  • 25
  • 2
    Saved me a lot of bafflement there! I found I did need the generated machine key, with auto generate it made little/no difference. – d219 Aug 06 '18 at 23:18