locked
How to deal with session timeout in Visual Studio 2015? RRS feed

  • Question

  • User-609535877 posted

    I implement a new web form project using Visual studio 2015. I use defaulted "Individual User Accounts" authentication

    <authentication mode="None" />

    to authenticate the user with identity framework. Now I add timeout 5 min in web.config

    <sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="5"> for testing on my developer computer. the session never times out.

    What is wrong with the application? Thanks in advance.

    Monday, July 30, 2018 2:32 PM

Answers

  • User475983607 posted

    Session is a different framework than "Individual User Accounts".   Individual User Accounts is an OWIN component that uses a cookie to cache a authenticaiton token.  The details are published in the support docs under security.

    https://www.asp.net/web-forms

    Sample configuration to change the OWIN authentication timeout to 5 minutes in the App_Start/Startup.Auth.cs file.

    app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    ExpireTimeSpan = TimeSpan.FromMinutes(5),
                    Provider = new CookieAuthenticationProvider
                    {
                        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                            validateInterval: TimeSpan.FromMinutes(5),
                            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                    }
                });

    The ExpiretimeSpan expires the auth cookie after 5 minutes of non use which causes the browser to delete the cookie.  The validateInterval setting (optional) is the frequency the API checks for change in the user's security stamp.  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 30, 2018 3:38 PM
  • User283571144 posted

    Hi zhao790,

    What is wrong with the application? Thanks in advance.

    As mgebhard says, the identity use cookie to store the user token not session.

    I also created a test demo on my side to test session setting. It works well.

    I suggest you could create a simple test page to test the session after the session has already expired.

    More details, you could refer to below codes:

    Notice: I modify the session timeout value to one minute.

    You could click the button after one minute to check the session timeout value is right.

    ASPX:

    <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="login.aspx.cs" Inherits="WebApplication.login" %>
     
    <!DOCTYPE html>
     
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head runat="server">
        <title></title>
    </head>
    <body>
        <form id="form1" runat="server">
            <div id="divTime">
            </div>
     
            <input id="Submit1" type="submit" value="submit" />
     
            <script>
                setInterval(function () {
                    document.getElementById('divTime').innerHTML = new Date();
                }, 1000);
            </script>
        </form>
    </body>
    </html>
    

    Code-behind:

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            Session["Islogin"] = "1";
        }
     
        if (Session["Islogin"] == null)
        {
            Response.Redirect("https://www.google.com");
        }
    }
    

    Web config:

    <?xml version="1.0" encoding="utf-8"?>
     
    <!--
      For more information on how to configure your ASP.NET application, please visit
      https://go.microsoft.com/fwlink/?LinkId=169433
      -->
    <configuration>
      <system.web>
        <compilation debug="true" targetFramework="4.6.1"/>
        <httpRuntime targetFramework="4.6.1"/>
        <authentication mode="None" />
        <sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="1"/>
      </system.web>
      <system.codedom>
        <compilers>
          <compiler language="c#;cs;csharp" extension=".cs"
            type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
            warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
          <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
            type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
            warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
        </compilers>
      </system.codedom>
    </configuration>
    

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 31, 2018 7:00 AM

All replies

  • User475983607 posted

    Session is a different framework than "Individual User Accounts".   Individual User Accounts is an OWIN component that uses a cookie to cache a authenticaiton token.  The details are published in the support docs under security.

    https://www.asp.net/web-forms

    Sample configuration to change the OWIN authentication timeout to 5 minutes in the App_Start/Startup.Auth.cs file.

    app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    ExpireTimeSpan = TimeSpan.FromMinutes(5),
                    Provider = new CookieAuthenticationProvider
                    {
                        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                            validateInterval: TimeSpan.FromMinutes(5),
                            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                    }
                });

    The ExpiretimeSpan expires the auth cookie after 5 minutes of non use which causes the browser to delete the cookie.  The validateInterval setting (optional) is the frequency the API checks for change in the user's security stamp.  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 30, 2018 3:38 PM
  • User283571144 posted

    Hi zhao790,

    What is wrong with the application? Thanks in advance.

    As mgebhard says, the identity use cookie to store the user token not session.

    I also created a test demo on my side to test session setting. It works well.

    I suggest you could create a simple test page to test the session after the session has already expired.

    More details, you could refer to below codes:

    Notice: I modify the session timeout value to one minute.

    You could click the button after one minute to check the session timeout value is right.

    ASPX:

    <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="login.aspx.cs" Inherits="WebApplication.login" %>
     
    <!DOCTYPE html>
     
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head runat="server">
        <title></title>
    </head>
    <body>
        <form id="form1" runat="server">
            <div id="divTime">
            </div>
     
            <input id="Submit1" type="submit" value="submit" />
     
            <script>
                setInterval(function () {
                    document.getElementById('divTime').innerHTML = new Date();
                }, 1000);
            </script>
        </form>
    </body>
    </html>
    

    Code-behind:

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            Session["Islogin"] = "1";
        }
     
        if (Session["Islogin"] == null)
        {
            Response.Redirect("https://www.google.com");
        }
    }
    

    Web config:

    <?xml version="1.0" encoding="utf-8"?>
     
    <!--
      For more information on how to configure your ASP.NET application, please visit
      https://go.microsoft.com/fwlink/?LinkId=169433
      -->
    <configuration>
      <system.web>
        <compilation debug="true" targetFramework="4.6.1"/>
        <httpRuntime targetFramework="4.6.1"/>
        <authentication mode="None" />
        <sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="1"/>
      </system.web>
      <system.codedom>
        <compilers>
          <compiler language="c#;cs;csharp" extension=".cs"
            type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
            warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
          <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
            type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
            warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
        </compilers>
      </system.codedom>
    </configuration>
    

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 31, 2018 7:00 AM