FormsAuthentication Timeout not reset

Discussion in 'ASP .Net Security' started by Chuck, Sep 29, 2009.

  1. Chuck

    Chuck Guest

    I'm using forms authentication with a 50 minute timeout and sliding expiration.
    The ticket expiration value is not being reset after greater than 25
    minutes. I have session variables turned off.
    I'm using roles and have the same experience whether I use role cookies or
    not.
    No async postbacks on the page.

    I setup an nUnit test which postsbacks the page every minute.
    I log the authentication ticket expiration time value every post.

    The ticket.Expiration value is not changing.
    After 50 minutes I am redirected to the login page.
    Chuck, Sep 29, 2009
    #1
    1. Advertising

  2. Hi,

    >I'm using forms authentication with a 50 minute timeout and sliding

    expiration.
    >The ticket expiration value is not being reset after greater than 25
    >minutes. I have session variables turned off.
    >I'm using roles and have the same experience whether I use role cookies or
    >not.
    >No async postbacks on the page.


    >I setup an nUnit test which postsbacks the page every minute.
    >I log the authentication ticket expiration time value every post.


    >The ticket.Expiration value is not changing.
    >After 50 minutes I am redirected to the login page.



    I did a test following your description but I cannot reproduce this
    problem. For test purpose I set timeout to one minute. Then I click the
    button every few seconds. 30 seconds elapsed after the first page load and
    the expire time is updated on the next postback. My test code is like below:

    aspx.cs:

    protected void Page_Load(object sender, EventArgs e)
    {
    FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
    var expire= id.Ticket.Expiration;
    Response.Write("expiration:" + expire);
    }

    aspx:

    <form id="form1" runat="server">
    <div>

    <input id="time" />
    <asp:Button ID="Button1" runat="server" Text="Button" />
    </div>

    <script type="text/javascript">
    var seconds = 0;
    function timedMsg() {
    document.getElementById("time").value = seconds;
    var t = setTimeout("timedMsg()", 1000);
    seconds++;
    }
    var d = new Date();

    var curr_hour = d.getHours();
    var curr_min = d.getMinutes();
    var curr_sec=d.getSeconds();
    document.write(curr_hour + " : " + curr_min + ":" + curr_sec);

    timedMsg();
    </script>
    </form>

    web.config:

    <forms loginUrl="Login.aspx" timeout="1" slidingExpiration="true">

    </forms>

    Could you please create a new project to test the above code? Does it work?

    As far as I know it's unlikely that the internal mechanism of ASP.NET
    breaks. Are you using custom HttpModule for authentication? Please read the
    following article which describes a similar issue:

    http://weblogs.asp.net/owscott/archive/2006/07/15/Forms-Authentication-Timeo
    ut.aspx

    Please let me know your test result. We can then work together to do
    further investigation.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Allen Chen [MSFT], Sep 30, 2009
    #2
    1. Advertising

  3. Chuck

    Chuck Guest

    Allen,

    FYI,
    We are sharing the FormsAuthentication cookies across servers.
    We found the sliding timeout does not work unless you set the optional Forms
    Authentication parameter for domain (which overrides the cookie domain).

    Don't know why but that setting fixed it.
    Chuck, Oct 5, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. .NET Follower

    Meaning Of Timeout in FormsAuthentication???

    .NET Follower, Feb 6, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    347
    .NET Follower
    Feb 6, 2004
  2. Danny
    Replies:
    1
    Views:
    1,320
    Craig Deelsnyder
    Jun 17, 2004
  3. tshad
    Replies:
    8
    Views:
    2,123
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Jan 14, 2005
  4. =?Utf-8?B?Q3JhaWc=?=

    formsauthentication timeout & session timeout

    =?Utf-8?B?Q3JhaWc=?=, Aug 10, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    2,625
    =?Utf-8?B?RU5JWklO?= .enizin.net>
    Aug 10, 2005
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,251
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page