2

I want to log a user into an ASP.NET MVC site, and the session expires very quickly, in minutes. Authentication is done in one line of code:

authProvider.Authenticate(model.UserName, model.Password)

Then I have in Web.config: 

<authentication mode="Forms">
<forms loginUrl="~/Account/Login" name=".ASPXAUTH" timeout="300" slidingExpiration="true">

and the setting on the IIS on the server for 300 minutes.

What is the problem?

krlzlx
  • 5,752
  • 14
  • 47
  • 55
Nicoara Talpes
  • 710
  • 1
  • 13
  • 28
  • Isn't it because your `sessionState timeout` has a low value? – krlzlx Feb 16 '17 at 16:28
  • those are minutes. so it should expire in 300 minutes, but it expires in 5. – Nicoara Talpes Feb 16 '17 at 17:01
  • I'm not talking about the `forms timeout` but the `sessionState timeout` – krlzlx Feb 16 '17 at 17:10
  • I added the timeout property to the session state, but still the same behavior: ` ` – Nicoara Talpes Feb 17 '17 at 15:18
  • 2
    What value do you have in the `Idle Time-out` parameter or your Application Pool? Please refer to this [article](http://aspnetfaq.com/iis7-application-pool-idle-time-out-settings/) and this [question](http://stackoverflow.com/q/39866953/1351076). – krlzlx Feb 17 '17 at 15:35
  • 1
    @krlzlx you are correct! the value was 5 and now changing it to 300 saves the session. This is an amazing answer that I feel must be rewarded, if you would like to answer the question. thank you! – Nicoara Talpes Feb 17 '17 at 22:20
  • You're welcome. I've added an answer. – krlzlx Feb 17 '17 at 23:52

1 Answers1

1

Make sure you have a sessionState timeout value that matches your forms timeout:

<system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" 
         name=".ASPXAUTH"
         timeout="300"
         slidingExpiration="true" />
    </authentication>
    <sessionState timeout="300" mode="InProc" />
</system.web>

You also need to change the Idle Time-out parameter of your Application Pool to the desired authentification timeout to avoid the Application Pool to recycle too soon and therefore lose your sessions.

This parameter can be found in:

IIS - Application Pools - Advanced Settings of the Application Pool in question.

References:

If you don't want to change this parameter(*), a solution is to use the StateServer mode of the Session State. This mode uses a service to store the session instead of the memory with In-Process mode. It has the advantage of not losing the session when the Application Pool is recycled. It's also very easy to configure:

<system.web>
    <sessionState mode="StateServer"
       stateConnectionString="tcpip=loopback:42424"
       cookieless="false"
       timeout="300" />
</system.web>

(*) 5 minutes is very low. The default is 20 minutes. So I advice to set it to at least the default value if using the StateServer mode.

Reference:

krlzlx
  • 5,752
  • 14
  • 47
  • 55
  • Hello, so this worked for two months. now it doesn't any more. I see there are two cookies set , one Cookies/.ASPXAUTH (expires "When the browsing session ends") and another in Local Storage / name of my website (subdomain.domain.com, but does not have any associated metadata with it? ) . what do you advise? – Nicoara Talpes Apr 22 '17 at 15:17
  • I advise you to try the `StateServer` mode of the Session State like described in the second part of my answer. – krlzlx Apr 25 '17 at 12:37
  • Right, I overlooked that. I have now added both and I still lose the session in around 15 minutes. Should the text inside stateConnectionString be different than "tcpip=loopback:42424"? – Nicoara Talpes Apr 26 '17 at 14:58
  • No, that setting should work. Did you set the `timeout` to 300? You can check this setting in IIS -> YourSite -> Session State -> Cookie Settings - `Time-out (in minutes)` should be 300. – krlzlx Apr 26 '17 at 15:26
  • Yes it is my webconfig is: I publish with: - delete all existing files - precompile during publish - exclude files from App_Data folder – Nicoara Talpes Apr 27 '17 at 12:39