locked
My asp.net mvc web application will automatically logout users after certain amount of time (if Idle) RRS feed

  • Question

  • User-540818677 posted

    I have the following:-

    1. Asp.net mvc 4 web application, deployed under IIS 7.
    2. I have set the same settings for my test and production web applications, which have exactly the same settings for the following:-

    -        Web.config file as follow:-

     

     <httpRuntime targetFramework="4.5" />
        <authentication mode="Forms">
          <forms loginUrl="~/Account/Login" timeout="2880" />
        </authentication>
        
        <pages>
          <namespaces>
            <add namespace="System.Web.Helpers" />
            <add namespace="System.Web.Mvc" />
            <add namespace="System.Web.Mvc.Ajax" />
            <add namespace="System.Web.Mvc.Html" />
            <add namespace="System.Web.Optimization" />
            <add namespace="System.Web.Routing" />
            <add namespace="System.Web.WebPages" />
          </namespaces>
        </pages>
    <sessionState timeout="120"></sessionState>
      </system.web>
      <system.webServer>

    - The login action method is as follow:-

            [HttpPost]
            [AllowAnonymous]
            [ValidateAntiForgeryToken]
            public ActionResult Login(LoginModel model, string returnUrl)
            {
    
    
                MembershipProvider domainProvider;
    
                domainProvider = Membership.Providers["TestDomain1ADMembershipProvider"];
                if (ModelState.IsValid)
                {
    
    
                    if (domainProvider.ValidateUser(model.UserName, model.Password))
                    {
                       
                        
                        FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
               
                    }
                    else
                    {
                      
                        ModelState.AddModelError("", "The user name or password provided is incorrect.");
                        List<String> domains2 = new List<String>();
                        domains2.Add("AD-T");
    
                        ViewBag.Domains = domains2;
                        return View(model);
                    }
                    
                    return RedirectToLocal(returnUrl);
                    
    
                }
                List<String> domains = new List<String>();
                domains.Add("AD-T");
                
                ViewBag.Domains = domains;
                return View(model);
            }

    - The IIS setting is as follow. i set the idle timeout for the application pool to be 20 minutes.

    Now our test server will keep the user login for more than one day , so even if I shut down my pc and I did not logout, I can use the test application without the need to login. But inside our live server the situation is different the user will be logout after less than ½ hour if he did not use the system, but if he keeps working then the system he will not be logout. Baring in mind that my test database and my live database are inside the same server. And I am using form authentication against out ldap server.

    So I think the application pool idle time & <sessionState timeout="120"></sessionState> are meaningless in my case because on the Test application the idle timeout is set to 20 minutes and session state to 120 minutes, but users will not be logout for more than one day. so i think there are different settings which controls when the user will be logout after idle time…

    So can anyone advice on what might be causing this problem ?

    Friday, October 31, 2014 10:06 PM

Answers

  • User281315223 posted

    If this is occurring after within less than an hour, it could likely be an Idle Timeout through IIS (seen in the second section below). I'll paste the following which I have posted in the past and contains all of the necessary steps to change all of these various timeouts (Forms Authentication and IIS Idle Timeouts), which may depend on how your current code is implemented.

    Setting the Forms Authentication Timeout within your web.config (may not be applicable)

    You can adjust the specific timeout property of your Forms Authentication in your application by adjusting the timeout property within the <authentication> element of your web.config file. You will also want to be mindful that if you are using the slidingExpiration property in conjunction with timeouts as they can actually expire much earlier than the timeout listed.

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="yourTimeoutInMinutes"></forms>
    </authentication>

    So if you wanted to extend the amount that the authentication token stays "alive" for to say 60 minutes (an hour), you would set it as seen below : 

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="60"></forms>
    </authentication>

    However, if you are using the slidingExpiration property, the authentication token can expire when half of the timeout duration has elapsed. So you'll likely want to double your timeout value if you are using it :

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="120" slidingExpiration="true"></forms>
    </authentication>

    Setting the Application IdleTimeout property within IIS

    You may need to check what your timeout is configured for within IIS, as this timeout will override the timeouts defined in your web.config. 

    Within IIS there is a setting called Idle Timeout, which defaults at 20 minutes. This could explain your early timeout issue and you may want to consider adjusting this property within IIS. Based on your issue, this could likely be the culprit :

    Scott Hanselman also addresses strange issues that can occur when dealing with timeouts when using Forms Authentication in this blog post as well.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, November 2, 2014 10:20 PM

All replies

  • User281315223 posted

    If this is occurring after within less than an hour, it could likely be an Idle Timeout through IIS (seen in the second section below). I'll paste the following which I have posted in the past and contains all of the necessary steps to change all of these various timeouts (Forms Authentication and IIS Idle Timeouts), which may depend on how your current code is implemented.

    Setting the Forms Authentication Timeout within your web.config (may not be applicable)

    You can adjust the specific timeout property of your Forms Authentication in your application by adjusting the timeout property within the <authentication> element of your web.config file. You will also want to be mindful that if you are using the slidingExpiration property in conjunction with timeouts as they can actually expire much earlier than the timeout listed.

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="yourTimeoutInMinutes"></forms>
    </authentication>

    So if you wanted to extend the amount that the authentication token stays "alive" for to say 60 minutes (an hour), you would set it as seen below : 

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="60"></forms>
    </authentication>

    However, if you are using the slidingExpiration property, the authentication token can expire when half of the timeout duration has elapsed. So you'll likely want to double your timeout value if you are using it :

    <authentication mode="Forms"> 
    <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="120" slidingExpiration="true"></forms>
    </authentication>

    Setting the Application IdleTimeout property within IIS

    You may need to check what your timeout is configured for within IIS, as this timeout will override the timeouts defined in your web.config. 

    Within IIS there is a setting called Idle Timeout, which defaults at 20 minutes. This could explain your early timeout issue and you may want to consider adjusting this property within IIS. Based on your issue, this could likely be the culprit :

    Scott Hanselman also addresses strange issues that can occur when dealing with timeouts when using Forms Authentication in this blog post as well.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, November 2, 2014 10:20 PM
  • User-540818677 posted

    ok i will try your settings, but when i tried to chnage the application pool idle time out insdie IIS manager , i got this error :-

    The 'Idle Time-out (minutes)' property of the application pool's process model must be less than the 'Regular Time Interval (minutes)' property of the application pool's period restart.

    Tuesday, November 4, 2014 5:56 AM
  • User-540818677 posted

    i changed the iis application pool idle timeout and the regular time interval inside the Recycling setting to be 10,000 minutes instead of 20 and 1740 minutes. and seems it is working well. but i have a question on what is the maximum time in minutes that i can specify for the application pool idle timeout ?, for our case we are working on an intranet site, so having the users' cookies active will not cause a security problem, because the user need to be lo-gin to our network to access the system...?

    Tuesday, November 4, 2014 7:50 PM