Session timeout before given time

Question

I am using form authentication with Asp.Net MVC application as given below:

Code

public void SignIn(string userName, bool isCookiePersistent)
        {

            FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddDays(14),
                createPersistentCookie, string.Empty);

            HttpCookie authCookie = FormsAuthentication.GetAuthCookie(userName, isCookiePersistent);
            if (authTicket.IsPersistent)
            {
                authCookie.Expires = authTicket.Expiration;
            }

            authCookie.Value = FormsAuthentication.Encrypt(authTicket);
            HttpContext.Current.Response.Cookies.Add(authCookie);
        }

public void SignOut()
        {
            FormsAuthentication.SignOut();
        }

Problem: The problem is, if I set form authentication timeout to 4 hours, still my users redirected to login page after half-hour after log in.

I have tried by both including SessionSate OR execluding SessionState in web.config, but noting is happening. Still the problem remain same. Here is my below web.cofig code.

Web.config (without sessionState element)

  <authentication mode="Forms">
      <forms loginUrl="~/LogOn/LogOn" requireSSL="false" timeout="240" defaultUrl="~/Home/Home" name="__appcookie" path="/" slidingExpiration="true" ticketCompatibilityMode="Framework40" protection="All">
      </forms>
    </authentication>

Web.config (WITH sessionState element)

<sessionState timeout="240"></sessionState>
 <authentication mode="Forms">
          <forms loginUrl="~/LogOn/LogOn" requireSSL="false" timeout="240" defaultUrl="~/Home/Home" name="__appcookie" path="/" slidingExpiration="true" ticketCompatibilityMode="Framework40" protection="All">
          </forms>
        </authentication>

Could anybody please do let me know that it's really important to include sessionState and sessionTimeout in web.config ? Can't I only use formAuthentication through out my application?

No matter if I use sessionState or NOT, Even only with form authentication, my user redirected to login page after half-hour after logging in application. (BUT I already set 240 minutes as a form authentication timeout).

Could anybody please give me some idea or solution on this.

Thanks in advance!

Answer 1

The forms ticketCompatibilityMode="Framework40" specifies that the ticket expiration date is stored as UTC. The default is Framework20 which specifies that the ticket expiration date is stored as local time. If you're setting your FormsAuthenticationTicket expiry date manually as you are with DateTime.Now while your ticketCompatibilityMode is Framework40, you've got a disconnect between local and UTC (DateTime.Now vs. DateTime.UtcNow).

It's a gotcha that got me recently. See this MSDN article for more information.

Answer 2

30 minutes is the default time for a forms auth cookie which leads me to believe there is something wrong with your configuration. Can you try simplifying the configuration just for testing?

<authentication mode="Forms">
    <forms loginUrl="~/LogOn/LogOn" timeout="240" protection="All" />
</authentication>

Answer 3

Try upping the session timeout value in IIS. The default value for that is 20 minutes. You could set the web.config to have the session timeout in 4 years, but the IIS session timeout will override it. Assuming your users are not being active on your site...