.NET Forms Authentication logging out users before timeout

https://stackoverflow.com/questions/20550680

01-09-2022
|

Question

I have tried damn near everything I can but users are still being logged out after a very short amount of time. Below I've included my authentication controller and my web.config. This is about the 30th iteration of my auth controller. I've also tried building my own cookies to no avail.

//Authentication Controller

public ActionResult Index(Login login)
    {

        if(true)//if (ModelState.IsValid)
        {
            using (InVisionTicketContext data = new InVisionTicketContext())
            {

                if (data.Logins.Count(l => l.Email == login.Email) >= 1)
                {
                       var Login = data.Logins.Where(l => l.Deleted == false).SingleOrDefault(l => l.Email.ToLower() == login.Email.ToLower());
                        if(string.IsNullOrWhiteSpace(Login.Password))
                       {
                           ModelState.AddModelError("", "Invalid username or password.");
                           return View();
                       }


                    if (PasswordHash.ValidatePassword(login.Password, Login.Password))
                    {

                           FormsAuthentication.SetAuthCookie(Login.Email, true);

                        return RedirectToAction("Index", "Home");
                    }
                }
            }
        }
        ModelState.AddModelError("", "Invalid username or password.");
        return View();
    }

//Web.Config
<authentication mode="Forms">
      <forms loginUrl="~/Authentication"  timeout="28800" slidingExpiration="true" cookieless="UseCookies" name="InvTicketCookie"/>
</authentication>
<sessionState timeout="28800" >
</sessionState>

enter image description here

Solution

One option would be to set a static machineKey in web.config and see if that solves the problem. If your app pool is restarting regularly for some reason, and the autogenerated key can't be persisted, then you'll get this behavior because ASP.Net won't be able to decrypt the ticket with a new key.

You can see an example of a statically generated machine key here.

OTHER TIPS

You are creating two cookies, one with SetAuthCookie and second with RedirectFromLoginPage. The forms authentication module gets confused and sliding expires only one of these cookies. Unfortunately the second one, which expires sooner or later, log users out.

Either remove SetAuthCookie or if you leave it, redirect manually with Response.Redirect.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow