I have an asp.net MVC application that was exhibiting some strange authentication timeout behavior. We had the timeout on the forms authentication tag in the web.config set to two days.

    <forms loginUrl="~/Login/Index" timeout="2880" />

What we noticed though was the application was timing out around the 20 min mark. So, after researching the issue and trying various settings we decided to add code to the global.asax in the Applicatoni_AuthenticateRequest method that reads the ticket from the cookie, and updates the expiration .

Sub Application_AuthenticateRequest(sender As Object, e As EventArgs)
    Dim authCookie As HttpCookie = Context.Request.Cookies(FormsAuthentication.FormsCookieName)
    If (IsNothing(authCookie) OrElse authCookie.Value = "") Then
        Return
    End If

    Dim authTicket As FormsAuthenticationTicket
    Try
        authTicket = RefreshLoginCookie()
    Catch
        Return
    End Try

    'string[] roles = authTicket.UserData.Split(';');
    'if (Context.User != null) Context.User = new GenericPrincipal(Context.User.Identity, roles);

End Sub

Function RefreshLoginCookie() As FormsAuthenticationTicket

    Dim authCookie As HttpCookie = HttpContext.Current.Request.Cookies(FormsAuthentication.FormsCookieName)
    If (IsNothing(authCookie) OrElse authCookie.Value = "") Then
        Return Nothing
    End If

    Dim oldTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)

    Dim expiryDate As Date = DateTime.Now.Add(FormsAuthentication.Timeout)
    HttpContext.Current.Response.Cookies.Remove(FormsAuthentication.FormsCookieName)

    Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, expiryDate, oldTicket.IsPersistent, oldTicket.UserData, oldTicket.CookiePath)
    authCookie.Value = FormsAuthentication.Encrypt(newTicket)
    authCookie.Expires = expiryDate

    HttpContext.Current.Response.Cookies.Add(authCookie)

    Return newTicket

End Function

Testing this in visual studio 2012 debugger everything worked beautifully, but once we deployed it to our IIS 7 environment the timeout issue returned.

To aid in my debugging I set the cookie expiration to be the same as the ticket's expiration so that I could easily tell what the ticket was being set to.

When the timeout occurs I see that the expiration should have occurred on 11/16, but that's not what's happening :

Here is the cookie information (at least the relevant information) Name Expiration .ASPXAUTH 11/16/2014, 9:00:47

putting logging in I see that the expiration update succeeds on the next request, but I still am getting sent to the login.

I'm stumped. I know it must be some setting in IIS 7 that is causing this because as I stated, it works fine in the debugger in visual studio (which is IIS 8 Express) so there must be something somewhere overriding this functionality.

I think it may be something specific to MVC though, because I'm using this same functionality on another site and am not seeing the same problem.

UPDATE

Forgot to mention, I'm also NOT seeing an authentication ticket timeout record in the event viewer.

Related posts

Recent Viewed