I am using Forms Authentication in my ASP.NET 2.0 web app running on Windows Server 2003.
I am getting a steady flow of users complaining that they are being kicked out and asked to log in again after using the site for a short while.
I guess this is some idle time-out set somewhere but it’s happening very quickly in some cases, after about 10 minutes.
This is obviously very frustrating for users when they are losing their progress on a form.
In my web.config I have the “timeout” attribute of <forms> within <authentication> set to 30 so this is not likely to be the issue. All of the users I have spoken to are sure they hadn’t been using it for 30 minutes before they were kicked out.
What other variables could it be? Or is it possible it’s a bug in my code? It’s happened on a range of different pages within my application.
Well, sliding expiration helps. But I’d suspect your application is getting recycled, which will invalidate the forms authentication ticket. How much control do you have of the server?
Is it the session timeout which defaults to 20 minutes? There may be issues with having no timeout but you can configure session through sql server which if memory serves never times out - http://support.microsoft.com/kb/317604.
I have long given up telling users about the risks of walking away logged into an application. They want to go for lunch, come back and continue filling in a form. This was the only way to keep them happy.
As for the long lunch issue, we have a little AJAX heartbeat control that handles this nicely. It held someone logged into an app and in the same session for 3 weeks straight once. Without them touching the computer.
Also just make sure you dnt have any code in the global.asax file in the Session_End method like FormsAuthentication.SignOut(). If that is the case, when your sessions expire after however long, it will destroy the users cookie.
NAWA-mark: I only have a few users, most of whom I know quite well. I trust that they can guestimate half an hour!
NightStalker-DNS: I don’t do anything on Session_End in my global.asax
wwb_99: Not being particularly experienced with forms auth, that was the first thing I checked. It’s hosted on a Windows 2003 VPS which I have full control over. The application pool only handles this one site. I previously unchecked the 3 recycle boxes and ticked the maximum used memory box and set it to 256MB. I’ve never seen it eat up that much memory.
Here’s a relevant snippet from my web.config. I added the sessionState section during this round of troubleshooting. They haven’t reported it again since so there’s a slim chance that resolved it, although it’s only been a couple of days.
If I log in, then go into IIS and recycle the process, I can continue to browse around logged in as if nothing happened. Should this behaviour be expected?
If so, it’s clearly nothing to do with the process being recycled.
The same key is used to encrypt the authentication ticket. If for somewhat reason that key changes, the tickets will be invalidated. My first guess was also the recycling problem but if you say it wasn’t that, then this is the only thing I could think of that might be a possible solution.
If the user is getting logged out and ur using forms authentication, recycling will do nothing as the authentication is a cookie, doesnt matter about server. But if your sessions are ending prematurely i also would have thought it be recycling.
Just for interest sake, have you tried using a StateServer instead of InProc?
Have you resolved this issue? We are also getting the same problem and its very frustrating. It doesn’t happen all the time. It looks like the Authentication Ticket is somewhat not valid but intermittently. Is this a common problem with ASP.net forms Authentication???
What have your tests shown?