Users of our application are getting signed out and asked to re-login if they leave the computer for over 20 minutes without any activity. I need them to stay signed in for a duration of atleast 4 hours, but only if they chose to create a persistent cookie at sign-in. I've tried to extend the session timeout, cookie expiration and forms authentication timeout periods to a higher time, say4 hours. I've tried doing it through web.config and through code but even though the timeout periods seems to get extended, in reality the application seems to expire around 20 minutes anyway. With a persistent cookie, I get about 20 minutes and if I don't persist the cookie, then I get about 10 minutes before the session expires. I use Page.User.Identity.IsAuthenticated to determine whether a user is a valid user. I would like that propertyto remain true for the duration of a set time (4 hours) regardless of http request inactivity. The 20-minute process recycle from the server is causing the Page.User.Identity.IsAuthenticated to become false after 20 minutes of inactivity. I'm creating a persistent cookie but am still unable to keep the Page.User.Identity.IsAuthenticated value to stay true. Any input/help will be appreciated. Thanks, Jamil <code> Default.aspx.vb: Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load If Not IsPostBack Then If Page.User.Identity.IsAuthenticated Then pnlPublic.Visible = False pnlAuthenticated.Visible = True Else pnlPublic.Visible = True pnlAuthenticated.Visible = False txtUsername.Focus() End If End If End Sub Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click If IsValid Then Dim s As New Security Dim strauthCode As String = s.AuthenticateUser(txtUsername.Text, txtPassword.Text, Application) 'Obtaining an access code from the db Select Case Len(strauthCode) Case Is > 1 Dim ticket As New FormsAuthenticationTicket(1, strauthCode, DateTime.Now, DateTime.Now.AddHours(4), chkPersistent.Checked, strauthCode) FormsAuthentication.RedirectFromLoginPage(strauthCode, chkPersistent.Checked) Case Else lblErrorMsg.Text = "Invalid credentials!" txtPassword.Focus() End Select End If End Sub web.config: <authentication mode="Forms"> <forms name="MainPage" loginUrl="Default.aspx" timeout="240" slidingExpiration="true"/> </code> Post Edited (Jimmy) : 11/9/2006 6:55:30 PM GMT
This is a problem with the forms authentication cookie.Data in the cookies are encrypted using a machineKey that gets generated randomly every time a web process gets recycled.Cookies that were created using the old machineKey will no longer be valid.We recycle web processes that have been idle (no hits whatsoever) for 20 minutes regardless of session timeout. To resolve this, you have a couple of options: 1. Set the protection attribute in the forms element to "None". 2. If you want to keep the protection enabled, you must create your own machineKey so that it's constant.See http://support.microsoft.com/kb/312906. Aristotle DiscountASP.NET www.DiscountASP.NET
Ok now I get this... "Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster." ...when I try to submit a form that was opened before application recycled. Steps: form opened, app recycled, form submitted, error! I would like to attempt your second option that you mentioned but how do I implement that on your servers, knowing that I cannot modify your machine.config? Jimmy Post Edited (Jimmy) : 11/12/2006 10:59:06 AM GMT
The machineKey can be set in the application level, which will override the machine-level setting. Aristotle DiscountASP.NET www.DiscountASP.NET
