Form authentication slidingExpiration does not work

Asked 13/3, 2018 at 10:59 Answered 27/6, 2018 at 11:11

c#asp.net-mvc cookies form-authentication slidingexpiration

I have below code

int intTimeout = (FormsAuthentication.Timeout.Hours * 60) +
  FormsAuthentication.Timeout.Minutes;
var authTicket = new FormsAuthenticationTicket(1, Utility.userCookie, DateTime.Now, 
  DateTime.Now.AddMinutes(intTimeout), true, cookieValue);

string strEncryptedTicket = HttpUtility.UrlEncode(FormsAuthentication.Encrypt(authTicket));
var authCookie = new HttpCookie(Utility.userCookie, strEncryptedTicket);
authCookie.Expires = authTicket.Expiration;
//FormsAuthentication.RedirectFromLoginPage("", false);
authCookie.Secure = FormsAuthentication.RequireSSL;
//authCookie.Secure = true;

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;
HttpContext.Current.Response.Cookies[Utility.userCookie].Value = authCookie.Value;

Below web.config

<authentication mode="Forms">
  <forms timeout="2" slidingExpiration="true" requireSSL="true" />
</authentication>

I keep hitting page link, still it expires in 2 minutes.

Butylene answered 13/3, 2018 at 10:59 Comment(6)

Please provide more details: 1) version of web server you're hosting this, 2) do you have any changes around FormAuthenticationModule in your web.config 3) What is the value of Utility.userCookie ? – Gipson 22/3, 2018 at 13:39

can you provide your web.config file?? – Andie 22/3, 2018 at 16:25

Where are you resissuing the authCookie as part of the response? It appears you are creating one then never sending back to the user. Next....are you sure you are not using the Identity framework? Any project created in the past few years would not be using forms authentication by default and thus any settings you place there would not be respected by the Identity framework. – Leishmaniasis 22/3, 2018 at 19:41

I have given web.config details whatever there related to form authentication – Butylene 26/3, 2018 at 13:52

what is your asp.net version? – Batholomew 26/3, 2018 at 23:9

mvc5 visual studo 15 – Butylene 27/3, 2018 at 5:51

Please pay attention to the structure of custom forms–based authentication in web.config:

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   protection="[All|None|Encryption|Validation]"
   timeout="[MM]"
   path="path"
   requireSSL="[true|false]"
   slidingExpiration="[true|false]">
   enableCrossAppRedirects="[true|false]"
   cookieless="[UseUri|UseCookies|AutoDetect|UseDeviceProfile]" 
   domain="domain name"
   ticketCompatibilityMode="[Framework20|Framework40]">
   <credentials>...</credentials>
</forms>

As you see, timeout property works based on minutes where you set it 2 (e.g. 2 minutes).

Generally, if you enable slidingExpiration in web.config. You have no need to regenerate a new cookie manually. For your scenario, I suggest you to use a trace tool e.g. Fiddler. When you refresh the page, you can check from Fiddler that whether the cookie expired time is reset.

I found a good example in Weird Timeouts With Custom ASPNETFormsAuthentication which can do some clearance for you.

Cashier answered 28/3, 2018 at 6:21 Comment(0)

Maybe the problem is related to lack of static machineKey section in the web.config file. when you call FormsAuthentication.Encrypt or FormsAuthentication.Decrypt, the methods use the machineKey values which is provided in the web.config file to perform the operation. if you do not provide strict values for machineKey, a new unique validationKey and decryptionKey would generate at the start point of the web application. sometimes depend on the server settings(for example small Idle-Time values for application pool settings), application is terminated before the expiration time of the FormsAuthenticationTicket. in this case because of the new machineKey values the Decrypt method can't validate the Ticket. I just recommend you to set a static machineKey.

see the following link: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

Pudendas answered 27/6, 2018 at 11:11 Comment(0)

In my application, I define cookieAuthenticationOptions in Startup.cs like this and it works fine

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                ExpireTimeSpan = TimeSpan.FromHours(1),
                SlidingExpiration = true,
                CookieHttpOnly = true,
                CookieName = "App.Authentication",
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
            });

Do you define those options ?

Why you don't use the SignIn method of AuthenticationManager ?

Arrears answered 27/3, 2018 at 7:36 Comment(0)

Try to remove this line from your code and try again:

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;

Overhappy answered 28/3, 2018 at 15:38 Comment(0)

In web.config file either remove <clear/> element or add following after <clear/> element if not present.

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>

Bowes answered 28/3, 2018 at 19:35 Comment(0)

Recommended topics

Hot tags