Reputation: 1
Session Time-Out after 10 minutes
We've got a huge problem.
We're using the Belgian eID (electronic identity card, this is a smart card). The Claim which is returned, is used by our Forms Authentication.
Everything works fine, but after 10 minutes (of activity or inactivity, doesn't matter), it automatically logs out.
Here the code fragment where we create the session:
private void CreateSession(ClaimsPrincipal transformedPrincipal)
{
SessionSecurityToken sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(1));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
}
In the Web.config, we set the session timeout:
<sessionState cookieless="false" timeout="60" />
On the IIS server, we set the Application Pool Idle Time-out to 8 hours.
We also set the Regular Time Interval of the recycling to 8 hours.
Upvotes: 0
Views: 9790
Answers (1)
Reputation: 8474
Quick hack:
Set the session 2 minutes later than the forms timeout. This ensures that the session is not killed on the exact second the authentication dies. But remember, sessions are independent of forms (see this blog) for more details.
<system.web>
<authentication mode="Forms">
<forms timeout="20" loginUrl="-- Login Page here --"/>
</authentication>
<sessionState mode="InProc" timeout="22"/>
</system.web>
Deeper investigation:
I would try and work out which one specifically is timing out. This is a fairly easy test, and will save you quite a lot of time.
So, the sections required are these with a timeout of 1 minute and session of 10000
<system.web>
<authentication mode="Forms">
<forms timeout="1" loginUrl="-- Login Page here --"/>
</authentication>
<sessionState mode="InProc" timeout="10000"/>
</system.web>
So login, browse to a page, wait one minute and refresh the site and you should see the login page.
In your favourite browser, open a developer toolbar and browse the cookies that are stored for this site. There should be 2 cookies:
ASP.NET_SessionId- to track your session.ASPXAUTH- to track your login (unless your browser has deleted it due to expiration)
You should see that the expiration time for the session (ASP.NET_SessionId) is in the future, but the form (.ASPXAUTH) has expired.
Login again, and your session should be the same as before.
Reverse the settings and you should find the reverse is happening i.e you are logged in a for a long period of time, but it is resetting.
Tracing the session end event
One more you can try is in your global ASAX. Make sure your sessionMode='InProc' in your web.config and add a method:
// Only works with sessionMode='InProc'
protected void Session_End(object sender, EventArgs e)
{
if(Debugger.IsAttached)
Debugger.Break();
}
The breakpoint will hit when the session dies, which you may be able to track back via the call stack to the exact reason why is has expired. This can come about when code calls Session.Abandon() as well.
Upvotes: 0
Related Questions
- Session timeout owin in MVC 4 after 5 minutes
- Session expires too quickly in asp.net mvc4 application
- Session timeout before given time
- Session timed Out in MVC 4
- ASP.NET MVC 4 Session timeout
- Session timeout
- MVC Session timeout issue
- MVC session expiring but not authentication
- asp.net mvc session timeout
- MVC3 Session timeout after 10 seconds