Forms-based authentication expires before timeout

[Anders Lybecker]

Hi,

I'm having a problem with the forms-based authentication. The user is
getting timed out before long before the timeout period has passed.
The forms-based authentication timeout is set to 10 hours and session
timeout to 2 hours.

Has anyone experienced the same problems?

I'm running framework 1.0.3705 on windows 2k server with IIS 5

Any help is appreciated.

Regards
Anders Lybecker

 

[Keith]

First of all, 10 hours for session timeout is going to
crush your servers. That's an absolutely resource
intensive approach to session timeouts. In addition, it
also represents a security concern that someone could get
up from their session and have it remain active as much
as 10 hours later. I would think 2 hours each value
would be more than adaquate, but in reality 20 minutes is
a good approach for most sites. That means your session
is renewed for 10 hours after each click.

Even so, my gut instinct is that the problem you're
having is related to how you're setting the timeout.
First of all, know that the Administrator can control
session timeout settings. Second, please forward along
the part of your web.config and aspx files where you
programatically set the limits. A common mistake is to
use the server clock to set the session timeout client-
side. Clocks are never in perfect concert.

What I really think problem is, is that your forms based
authentication ticket isn't being renewed. This is
caused by FormsAuthentication.SlidingExpiration being
false. Check to see at runtime if the value is false.
If so your expiration is not being reset each request.

Here's a related link:
http://www.asp.net/Forums/ShowPost.aspx?
tabindex=1&PostID=90860

 

[Anders Lybecker]

First of all, 10 hours for session timeout is going to
crush your servers. That's an absolutely resource
intensive approach to session timeouts.

I don't care, the we got plenty of resources.
The client is always right, and I have nothing to say in this matter.

In addition, it
also represents a security concern that someone could get
up from their session and have it remain active as much
as 10 hours later. I would think 2 hours each value
would be more than adaquate, but in reality 20 minutes is
a good approach for most sites. That means your session
is renewed for 10 hours after each click.

Everything is running within as secure VPN network, so security is not
that high a concern.

Even so, my gut instinct is that the problem you're
having is related to how you're setting the timeout.
First of all, know that the Administrator can control
session timeout settings. Second, please forward along
the part of your web.config and aspx files where you
programatically set the limits. A common mistake is to
use the server clock to set the session timeout client-
side. Clocks are never in perfect concert.

What I really think problem is, is that your forms based
authentication ticket isn't being renewed. This is
caused by FormsAuthentication.SlidingExpiration being
false. Check to see at runtime if the value is false.
If so your expiration is not being reset each request.

Here's a related link:
http://www.asp.net/Forums/ShowPost.aspx?
tabindex=1&PostID=90860

Here is part of the web.config:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="600"/>
</authentication>

And the single line of code that sets the authentication token from
the Login.aspx file:

FormsAuthentication.RedirectFromLoginPage(strUserName, False)

Am I missing something?

Thanks
Anders Lybecker

 

[Hernan de Lahitte]

If your are experiencing timeout problems, it might be the big gap between
the session timeout and the Forms cookie timeout renewal. The latter, will
renew it's value when more than half the specified time has elapsed (5 hs).
If you have a session timeout of 2 hours, then the session will expire long
before the cookie. So adjusting the forms timeout or the session timeout
value should solve this problem. However, I agree with Keith comments about
the suggested timeout values. Remember the "Defense in depth" security
practice and despite you may have a VPN or plenty of processing resources,
the majority of the attacks always comes from the inside.

Regards,

Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com

 

[Anders Lybecker]

If your are experiencing timeout problems, it might be the big gap between
the session timeout and the Forms cookie timeout renewal.

Why should the gap cause this problem?

The latter, will
renew it's value when more than half the specified time has elapsed (5 hs).
If you have a session timeout of 2 hours, then the session will expire long
before the cookie. So adjusting the forms timeout or the session timeout
value should solve this problem. However, I agree with Keith comments about
the suggested timeout values. Remember the "Defense in depth" security
practice and despite you may have a VPN or plenty of processing resources,
the majority of the attacks always comes from the inside.

In a series of page requests after the user has logged in one of the
suddenly fails and the login page is displayed. The timeframe is less
than 10 minutes - a lot less than the timeout.

Any suggestions?

Regards
Anders Lybecker

 

[Hernan de Lahitte]

Check the page sequence that makes the login page to load.
Are all the pages in this seq. in the same application/forms auth scope ?
Your authz config is something like this?

<authorization>
<deny users = "?" />
<allow users= "*" />
</authorization>

 

[Anders Lybecker]

Check the page sequence that makes the login page to load.
Are all the pages in this seq. in the same application/forms auth scope ?
Your authz config is something like this?

<authorization>
<deny users = "?" />
<allow users= "*" />
</authorization>

The web.config:

<authorization>
<deny users="?"/>
</authorization>

The <alloe users="*" /> is implicit.

Regards
Anders Lybecker

 

[Pete]

I've had the same problem too. It seems to work correctly at times but then
reverts to seemingly random timeouts.
Never did find out why it doesn't work as planned. BTW I'm using Win2003 +
..NET 1.1. However on my XP 1.1 dev box it works fine 100% of the time.

--
Cheers

Pete

XBOX Live Leagues & Tournaments
http://www.xboxracing.net/