1

I used Membership and this code to create a persistent cookie to prevent user automatically sign-out after sign-in:

FormsAuthentication.SetAuthCookie(user.Id.ToString(),true);

And use this setting in web.config file:

<authentication mode="Forms">
  <forms name=".mywebsite" cookieless="UseCookies" loginUrl="~/Account/SignIn" defaultUrl="~/ManagePanel/Statistic" slidingExpiration="true" protection="All" path="/" timeout="43200" />
</authentication>
<sessionState mode="InProc" timeout="43200" />
<httpModules>

<modules>
  <remove name="FormsAuthenticationModule" />
  <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
  <remove name="UrlAuthorization" />
  <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
  <remove name="DefaultAuthentication" />
  <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

I want to user just can sign-out only when hit sign-out button and don't want to sign-out after a while.

How can I solve my problem?

Mike
  • 181
  • 2
  • 12
  • Currently you have set the validity of the forms authentication cookie to `43200` minutes with sliding expiration. This means that if there is not activity from the user for this amount of time the cookie will be invalidated. Isn't this period sufficient for you? Or you need infinite timeout so that the cookie never expires? – Darin Dimitrov Apr 22 '17 at 10:10
  • @DarinDimitrov It's a sufficient period , but not working. for example it expires after 30 minutes not a month – Mike Apr 22 '17 at 10:17
  • I see that you are also using ``. Does your authentication rely on some value stored inside this Session? If so, then you should not use `InProc`. Because this means that your session values are stored in the memory of the AppDomain. And as you know, the AppDomain could be unloaded by IIS at any moment. For example if there's no activity or if some CPU or memory watermarks are reached. You will have to use an out-of-proc storage mechanism for sessions if you want them to survive AppDomain restarts (which can happen at any time, outside of your control). – Darin Dimitrov Apr 22 '17 at 10:17
  • @DarinDimitrov No, I don't use session for authentication, I only use `FormsAuthentication.SetAuthCookie(user.Id.ToString(),true);` and `[Authorize]` filter in controllers – Mike Apr 22 '17 at 10:28
  • 1
    That's strange, because 30 minutes is exactly the time after which by default IIS will unload the AppDomain of an application if there's no activity. So it looks like your code somehow relies on this session for authentication. Note that the FormsAuthentication cookie is absolutely stateless and `43200` minutes means `43200` minutes. Can you try disabling the SessionState: ``? – Darin Dimitrov Apr 22 '17 at 10:29
  • @DarinDimitrov I don't have any problem in local , my problem is only in host – Mike Apr 22 '17 at 10:32
  • Do you host your application on one machine or multiple? – Darin Dimitrov Apr 22 '17 at 10:33
  • @DarinDimitrov No , it's only on a shared host – Mike Apr 22 '17 at 10:34
  • 1
    Can you try setting the `machineKey` explicitly in your web.config: http://stackoverflow.com/a/3855874/29407 Maybe the key somehow changes on the remote host and your application is unable to decrypt the forms authentication cookie. – Darin Dimitrov Apr 22 '17 at 10:36
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/142337/discussion-between-mike-and-darin-dimitrov). – Mike Apr 22 '17 at 11:51

1 Answers1

0

The solution was the one suggested in the comment by Darin Dimitrov:

Can you try setting the machineKey explicitly in your web.config: https://stackoverflow.com/a/3855874/29407 Maybe the key somehow changes on the remote host and your application is unable to decrypt the forms authentication cookie.

Community
  • 1
  • 1
Mike
  • 181
  • 2
  • 12