How to disable the auto-logout functionality of ASP.NET

Question

I use the ASP.NET membership API. This automatically logs out for inactive sessions. I don't want this auto log out. I used some work arounds like calling a page in ajax after a specified amount of time. Or I used the iframe method to keep the session active. But this does not fit my needs very well. I want to disable this logout function altogether.

Notice My question was in response to this article This

Increasing the Session Timeout Doesn't Always Work

At first glance, increasing the session timeout value in C# ASP .NET's web.config file should resolve the issue. You would assume that by changing the timeout value to 60 minutes in the line below, that a user would remain logged into a web application session for a full 60 minutes.

<authentication mode="Forms">
  <forms name="MyAuth" timeout="60" protection="All" loginUrl="~/Web/Login.aspx" slidingExpiration="true" />
</authentication>

<sessionState mode="InProc" cookieless="false" timeout="60" />

However, there are actually two problems with this. The first problem is that setting the timeout value to anything greater than 1 hour will result in excessive memory being held on the server, as IIS holds all session memory for the duration of the session. Imagine a timeout value of 5 hours on a high traffic site, holding all session data for thousands of user sessions. The second problem may come upon testing the application, where often the web application will timeout after only 15 minutes. What exactly is happening? While the problem may actually be a value configured in IIS for the session timeout or connection timeout properties (which in the case of shared hosting, you may not even have access to), it becomes apparent we need to take control of the session timeout into our own hands.

Answer 1

To set the authentication cookie to not ends is way too risky.

Why, because anyone, at any time can use any generated authenticated cookie to login again.

To read more about that you can read that article :The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications"

and see some relative questions, Form Authentication - Cookie replay attack - protection and FormsAuthenticationTicket cannot be invalidated server side. Causing cookie reply attacks

One solution is to use a handler and a simple javascript that call it and renew the login session time to time.

The html/javascript part:

<img id="LiveImg" width="1" height="1" alt="" src="keepsessionalive.ashx?" /> 
<script>
var myImg = document.getElementById("LiveImg");
if (myImg){
    window.setInterval(function(){
          myImg.src = myImg.src.replace(/\?.*$/, '?' + Math.random());
        }, 3000);
}
</script>

and the keepsessionalive.ashx can contain:

// 1x1 transparent GIF
private readonly byte[] GifData = {
    0x47, 0x49, 0x46, 0x38, 0x39, 0x61,
    0x01, 0x00, 0x01, 0x00, 0x80, 0xff,
    0x00, 0xff, 0xff, 0xff, 0x00, 0x00,
    0x00, 0x2c, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x01, 0x00, 0x00, 0x02,
    0x02, 0x44, 0x01, 0x00, 0x3b
};

public void ProcessRequest (HttpContext context) 
{
    // send the emtpy image
    context.Response.ContentType = "image/gif";
    context.Response.Buffer = false;
    context.Response.OutputStream.Write(GifData, 0, GifData.Length);
}

If you also like to keep session alive, together with authentication use the IRequireSessionState on your handler.

On each call the authentication credential will renew and your session will keep - if the user for any reason go way the cookie will expired and you avoid possible replay attacks.

I also introduce the trick with the auto image reload at this similar answers:
Keeping a related ASP.NET application's session alive from another ASP.NET application
Reset session timeout without doing postback in ASP.Net
What is the best approach to handle session timeouts in asp.net
Auto refresh ASP.NET web page after defined interval?

Answer 2

The same thing happened to us and the reason was that our server had to deal with time-out in IIS (ie, IIS request timeout) which we did not have any particular control (on that server where my site was hosted).

So we did this. ( Not very optimal but it worked for me. I hope you have a master page to do all these. Otherwise you have to do this on every page )

Suppose you want to increase timeout to an arbitrary limit, say, 1 day

1.First increase that in web.config to the default value. 20 minutes. The maximum value is one year.

2.Run an empty iframe at the bottom of your master-page.

<iframe id="SessionHandler" src="/html/SessionHandlerHack.aspx" frameborder="no" height="0" width="0"></iframe>

3.And on the code-behind of the page, write

C#

protected void Page_Load(object sender, EventArgs e)
{
    //Session timeout is now at 20 minutes. due to the unreliable nature of session,
    //we are setting the meta-refresh to be 15 minutes to be on safer side.
    Response.AddHeader("Refresh", "900");
}

VB.NET

Protected Sub Page_Load(sender As Object, e As System.EventArgs) Handles Me.Load
    'Session timeout is now at 20 minutes. due to the unreliable nature of session,
    'we are setting the meta-refresh to be 15 minutes to be on safer side.
    Response.AddHeader("Refresh", "900")
End Sub

Yes its equivalent adding a refresh header, we did it in code-behind to manipulate the 15 minutes value with a variable. And yes,

<meta http-equiv="refresh" content="900">

on the ASPX page itself will do fine.

4.Run a JavaScript timer on the master-page that expires at 24 * 60 * 60 * milli-seconds (ie, 1 day). On expiry re-direct the user to the log out page like this.

var timeOut = 86400000; //24 x 60 x 60 x 1000 ie, number of milli-seconds in a day
$(document).ready(function () {//window.onload for you maybe?
    window.setTimeout(function () {
        window.location = "/LogIN.aspx?action=logout";
    }, timeOut);
});

The logic is that the site wont get timed out as the time-out has a sliding expiry and the iframe in the page will refreshed every 15 minutes thus re-setting the session expiry. Now, the JavaScript timer also runs on the page and is unaware of the refresh happening to the iframe in the page and acts as the time-out referee for our desired time-out. Also, it will be refreshed as the page gets re-loaded / navigated away from and starts the timer all over again.

A little too much to hear the first time. But this worked for us and this is the only solution we have found so far( Not that we are researching on it everyday :P )

Hope this helps. Happy Session hacking!

Answer 3

Add this to your web.config:

<system.web>
<authentication mode="Forms">
      <forms timeout="99999999"/>
</authentication> 
</system.web>