Hi, I'm not sure what is going on here, but if i configure my web.config file to set the timeout for the cookie which is used for the form authentication, the value is not being used and the defaylt which is 30 mins is being used instead. Has anyone else seen this problem? <authorization> <deny users="?"/> </authorization> <authentication mode="Forms"> <forms slidingExpiration="true" timeout="50000000"/> </authentication> Thanks Nick
Our system is configured to monitor each web application pool for inactivity of 20 minutes. If your web application shows inactivity for 20 minutes our system will recycle your web application thus losing your session. Although the cookie is still active on the client side the session object has been drop. The alternative to this is setting your web application with SQL session. Try referencing this kb article for more information on our SQL session. http://kb.discountasp.net/article.aspx?id=10350 Post Edited By Moderator (mjp) : 5/25/2007 6:12:35 PM GMT
Raymon, Thanks for the help on this. The SQL Server route actually makes more sense as this will be more portable if we ever move to another server. If the server settings are different, we could end up with a different problem. Regards Nick
Hi there, I appear to be having a similar problem. The difference is that I don't rely on the Session for anything- if a session timeout is detected but authorisation still exists, the Session data is rebuilt. This works fine in the development environment, which also has a Session timeout but doesn't seem to work in production on the discountasp server. The user becomes logged out (Context.User.Identity.IsAuthenticated is false). Unfortunately I can't think of any reason this would be the case, I've been scratching my head for days. Bastett
I think I just found the answer: "This is a problem with the forms authentication cookie.Data in the cookies are encrypted using a machineKey that gets generated randomly every time a web process gets recycled.Cookies that were created using the old machineKey will no longer be valid.We recycle web processes that have been idle (no hits whatsoever) for 20 minutes regardless of session timeout. To resolve this, you have a couple of options: 1. Set the protection attribute in the forms element to "None". 2. If you want to keep the protection enabled, you must create your own machineKey so that it's constant.See http://support.microsoft.com/kb/312906." I'll give that a go.
I have been using the following web.config file in applications at discountasp.net since 2003 and it has always worked until now. <configuration> <system.web> <customErrors mode="Off"/> <authentication mode="Forms"> <forms name=".ASPXFORUM" loginUrl="login.aspx" protection="All" timeout="60" path="/" /> </authentication> <authorization> <deny users="?" /> </authorization> <sessionState cookieless="true" timeout="60" /> </system.web> </configuration> In orderfor me toupgrade from ASP.NET 1.1 to 2.0, my account was moved to a new server location. Now I run into the problem discussed in this thread. The sessions are timing out after 20 minutes. So I thought, since it worked under ASPNET 1.1 before, I would change the ASP.NET version setting back to 1.1. But the session still times out. So apparantly, the systems are set up differently on the old server on which I was located. I should have stayed where I was. Now in order for my one hour session variables to be remembered I will have to switch to SQL Server authentication? I do have a SQL server account. Do I need a second database, or can we simply add another table to my existing database? bmacd
The session schema could be created on the same database your web application uses. We only recommend getting another database addon for any possible conflicts like having an existing table name that the session schema will need to create. There are numerous possible causes on when a web application will loose the session, one can be the session timeout settings set low, or the web application is being restarted. And then there is also the forms timeout setting. http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx The forms timeout setting is separate from session and incorporating a sqlsession will not help. My best suggestion is finding out first what is causing your authentication to drop after 20 minutes. If you have a local machine try setting it up with IIS and incorporate certain conditions on it. 1) More than 20 minutes of idle time (no http request in 20 minutes) 2) The application uses more than 100 MB memory 3) The application uses more than 75% of CPU time If any of these conditions are meet, then we can pretty much guarantee that our server is recycling your web application and a SQLSession will be the best alternative. Also check your forms timeout setting. If you want we can also go with the SQLSession route and you need only open a ticket with the request and letting discountasp support know what .net framework you will be using. I suggest the latter cause I really don't want to see you do any coding modifications and a database modification without knowing for sure if it is going to resolve your problem.
I'vepurchased a new SQL for the session databases, but this doesn't seem to have helped. Trouble is we have just moved offices over the last week and I haven't had time to test this properly. Our new offices have not had the broadband connected yet either so limited to checking emails in the evening. When you talk about Forms Timeout, when is this defined?
