P
pgorry
Hi all,
I am trying to create an new website using ASP.NET 2.0. I am using
forms authentication, and I am trying to have it so that once a user
signs in, they will never time out.
However, after logging in - and then leaving the browser (IE6) open for
a given period (I have not managed to identify this period exactly yet,
usually over half an hour anyway), any call to
HttpContext.Current.User.Identity.IsAuthenticated returns false, and my
app sends them back to the login page.
Here is what I am doing:
1. The login is handled by the asp.net login control, nothing too fancy
in that
2. The web config has the following set:
....
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" timeout="500000"
slidingExpiration="false"></forms>
</authentication>
....
<sessionState mode="Off"></sessionState>
3. Use the following code on the page.init to see if the user is
authenticated HttpContext.Current.User.Identity.IsAuthenticated
And my discoveries:
1. As I said - log in, leave the browser open for a period of time,
navigate to a new page, and the user is no longer authenticated
2. This appears to only be happening on the live server (which is
shared hosting - limited access). I have added some debugging to a
file, and when the call is made after the time lag
a) the value of HttpContext.Current.User.Identity.Name = "" (so
obviously the user is not authenticated)
b) The ".ASPXAUTH" cookie is no longer set
3. If I look at the cookie expiry (in debug on development machine) it
has an expiry of 01/01/0001, is this okay\normal?
4. Interestingly, if I set the timeout to be short, lets say 1 minute
the application behaves okay, I can navigate on the site for 1 minute -
and after that I am forced to login. So it is respecting the timeout
value - to some degree
5. If I intermittently access the site, then it never seems to timeout.
This adds to the confusion as I have set slidingExpiration="false"
6. This happens on two separate machines, so does not appear to be
machine independent
My Questions
1. Whats happening???
2. I am thinking that possibly the cookie expiration is not getting set
to the same value time as the form timeout. Is this possible?
3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists
and does get passed.
4. Am I correct in assuming I do not need to have SessionState enabled?
I have no need for it so have it disabled.
Any help on this would be appreciated. I feel like I am missing some
configuration - or maybe a complete lack of understanding of Forms
Authentication
Thanks.
Patrick.
I am trying to create an new website using ASP.NET 2.0. I am using
forms authentication, and I am trying to have it so that once a user
signs in, they will never time out.
However, after logging in - and then leaving the browser (IE6) open for
a given period (I have not managed to identify this period exactly yet,
usually over half an hour anyway), any call to
HttpContext.Current.User.Identity.IsAuthenticated returns false, and my
app sends them back to the login page.
Here is what I am doing:
1. The login is handled by the asp.net login control, nothing too fancy
in that
2. The web config has the following set:
....
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" timeout="500000"
slidingExpiration="false"></forms>
</authentication>
....
<sessionState mode="Off"></sessionState>
3. Use the following code on the page.init to see if the user is
authenticated HttpContext.Current.User.Identity.IsAuthenticated
And my discoveries:
1. As I said - log in, leave the browser open for a period of time,
navigate to a new page, and the user is no longer authenticated
2. This appears to only be happening on the live server (which is
shared hosting - limited access). I have added some debugging to a
file, and when the call is made after the time lag
a) the value of HttpContext.Current.User.Identity.Name = "" (so
obviously the user is not authenticated)
b) The ".ASPXAUTH" cookie is no longer set
3. If I look at the cookie expiry (in debug on development machine) it
has an expiry of 01/01/0001, is this okay\normal?
4. Interestingly, if I set the timeout to be short, lets say 1 minute
the application behaves okay, I can navigate on the site for 1 minute -
and after that I am forced to login. So it is respecting the timeout
value - to some degree
5. If I intermittently access the site, then it never seems to timeout.
This adds to the confusion as I have set slidingExpiration="false"
6. This happens on two separate machines, so does not appear to be
machine independent
My Questions
1. Whats happening???
2. I am thinking that possibly the cookie expiration is not getting set
to the same value time as the form timeout. Is this possible?
3. Where is the cookie stored? I would have expected to see a cookie
in C:\Documents and Settings\user\Cookies called user@mywebsite[1].txt
but I don't. Yet looking at the traffic in Fiddler the cookie exists
and does get passed.
4. Am I correct in assuming I do not need to have SessionState enabled?
I have no need for it so have it disabled.
Any help on this would be appreciated. I feel like I am missing some
configuration - or maybe a complete lack of understanding of Forms
Authentication
Thanks.
Patrick.