Forms Authentication issue

I hope someone here can help me out.

I have an asp.net application that is using forms authentication. The problem is that users that have logged in are being redirected to the login page if they are idle for a period of time (Have yet tonarrow down the time frame). My first concern is, does Forms Authentication rely on the session? If so, could Ibe required to log in if my session expires? This would seem odd since the Forms authentication relies on a cookie. I expect that the user should stay logged in until the cookie has expired. Is this correct?

Here is some more information that may be pertinent:

1)The web.config authentication element I use is:
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" protection="All" timeout="10080"></forms>
</authentication>

2) The session state is configured as:
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="1"/>


Note that I have the session timeout set at 1 minute. This was to help determine if the session timing out was the cause of the problem. This does not seem to be true as a user may be idle for 5-10 minutes and not be required to log in at their next action, however 30-40 min of idle time requires them to log in.

3) I am creating my own FormsAuthentication.ticket in code like so:

Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1,
txtUsername.Value, _
DateTime.Now, _
DateTime.Now.AddYears(1), _
chkRemember.Checked, _
objUser.UserId, _
FormsAuthentication.FormsCookiePath)


If anyone has any suggestions or isexperienced with the use of Forms Authentication their advice would be greatly appreciated.
Thanks.

 

Forms authentication does go on session. However it can either use the webserver session which on our we server we only support InProc Session or you can use a SQL database to hold your session. After reviewing your code, your session in saved on the web server. We do have 3 conditions implemented on all our web server so that resources on the server will not be over utilized by one account. This is to insure that everyone on that servers are protected. Here are the conditions....

1) More than 20 minutes of idle time (no http request in 20 minutes)
2) The application uses more than 100 MB memory
3) The application uses more than 75% of CPU time

It appears your web application is passing the threshold of the first condition. So although you set your session to time out after 60 minutes, and if your web application experiences 20 minutes of inactivity 'which means no http calls to the application' then our system will recycle the application thus loosing your session that is stored with your application pool.

Reference this kb article for some guidelines on configuring ASP.Net membership/roles provider on our server. This should help you out on how to properly set forms authentication. http://kb.discountasp.net/article.aspx?id=10413

Please understand that this will require that you have a SQL addon to your discountasp account.

 

I was able to resolve the issue and felt it necessary to post the answer here in case others experience the same problem.

The problem was indeed related to the fact that the application pool was recycling after 20 minutes of idle time. The site is in the beta testing stages and therefore inactive for large periods of time. The session will indeed be destroyed during an app pool recycle, however the site was designed to not be session dependant, so this seemed an unlikely source of the problem.

All the research I conducted indicated that forms based authentication is not session based, and my testing has backed this up. However, one aspect of the cookie based forms authentication method that isApplication instance dependant based is the machineKey used to encrypt/decrypt the forms authentication cookie. This key, if not specified in the web.config or machine.config, is dynamically generated when an application launches. If the pool is recycled, the key is lost and a new one is generated. However, any users that were previously authenticated, will have an encrypted cookie that can no longer be decrypted with the current key. This results in the user being considered unauthenticated, and being redirected to the login page.

So, the solution I have gone with is to add a machinekey into the web.config file,thereby guaranteeing that the encryption/decryption will work between app restarts.

I hope this helps someone else.

 

I have been having problems on our site with certain members who are using the correct login and have cookies enabled but for some reason the forms authentication cookie was failing. I'm hoping that adding the machinekey to my web.config file will help.

I found a site that will create a random machinekey for you for others who are interested:
http://aspnetresources.com/tools/keycreator.aspx

 

Actually this issue was also covered on another thread in our community forum.

Please also reference this link.

http://community.discountasp.net/default.aspx?f=24&m=10014&g=10785