I have an asp.net MVC application that was exhibiting some strange authentication timeout behavior. We had the timeout on the forms authentication tag in the web.config set to two days.
<forms loginUrl="~/Login/Index" timeout="2880" />
What we noticed though was the application was timing out around the 20 min mark. So, after researching the issue and trying various settings we decided to add code to the global.asax in the Applicatoni_AuthenticateRequest method that reads the ticket from the cookie, and updates the expiration .
Sub Application_AuthenticateRequest(sender As Object, e As EventArgs) Dim authCookie As HttpCookie = Context.Request.Cookies(FormsAuthentication.FormsCookieName) If (IsNothing(authCookie) OrElse authCookie.Value = "") Then Return End If Dim authTicket As FormsAuthenticationTicket Try authTicket = RefreshLoginCookie() Catch Return End Try 'string roles = authTicket.UserData.Split(';'); 'if (Context.User != null) Context.User = new GenericPrincipal(Context.User.Identity, roles); End Sub Function RefreshLoginCookie() As FormsAuthenticationTicket Dim authCookie As HttpCookie = HttpContext.Current.Request.Cookies(FormsAuthentication.FormsCookieName) If (IsNothing(authCookie) OrElse authCookie.Value = "") Then Return Nothing End If Dim oldTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value) Dim expiryDate As Date = DateTime.Now.Add(FormsAuthentication.Timeout) HttpContext.Current.Response.Cookies.Remove(FormsAuthentication.FormsCookieName) Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, expiryDate, oldTicket.IsPersistent, oldTicket.UserData, oldTicket.CookiePath) authCookie.Value = FormsAuthentication.Encrypt(newTicket) authCookie.Expires = expiryDate HttpContext.Current.Response.Cookies.Add(authCookie) Return newTicket End Function
Testing this in visual studio 2012 debugger everything worked beautifully, but once we deployed it to our IIS 7 environment the timeout issue returned.
To aid in my debugging I set the cookie expiration to be the same as the ticket's expiration so that I could easily tell what the ticket was being set to.
When the timeout occurs I see that the expiration should have occurred on 11/16, but that's not what's happening :
Here is the cookie information (at least the relevant information) Name Expiration .ASPXAUTH 11/16/2014, 9:00:47
putting logging in I see that the expiration update succeeds on the next request, but I still am getting sent to the login.
I'm stumped. I know it must be some setting in IIS 7 that is causing this because as I stated, it works fine in the debugger in visual studio (which is IIS 8 Express) so there must be something somewhere overriding this functionality.
I think it may be something specific to MVC though, because I'm using this same functionality on another site and am not seeing the same problem.
Forgot to mention, I'm also NOT seeing an authentication ticket timeout record in the event viewer.