form authentication timeout not working

Discussion in 'General troubleshooting' started by 0000403, Jul 26, 2011.

  1. Hi, I have a mvc3 application, uses form authentication to validate users.
    in web.config, I set timeout for 2880 (minutes) as default. And I also checked session state menu in IIS7 which connects to my site, and disabled the session and selected "Uses cookies".

    Despite all my settings, my application redirects user to login page after being inactive for 30seconds(I timed it).

    Here is authentication attribute in web.config

    <authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="2880" defaultUrl="/SGIC/Home" />

  2. My Solution

    I had the same problem and have spent 2 days trying to fix this. There are some red herring posts about the app pool recycling if you go over 100MB in memory in your app. However this is not completely relevant. I went through the effort of writing my own Custom Session State Provider Store to eliminate this possibility. (as an fyi, it was pretty easy and probably not a bad idea)

    I contacted Winhost support and they told me that my app pool had recycled a few times, but not enough to provide an explanation as to why the session was dissapearing after 30 seconds.

    After writing my own code to read the HTTP headers and process the cookies as opposed to using the Request.Cookies collection, I discovered that the problem was with the encryption and decryption of the authentication cookie. .NET was nice enough not to throw an error to the user and just ignore any bad cookies. So while you may see the cookie in the HTTP header, it doesn't get processed.

    In the end, it appears that you need to configure your machine key. It defaults to autogenerate, but does not default to the isolated app option. I haven't tested this in depth, but it appears to be what is happening. Being on a shared server, this would be an issue.

    I provided a machinekey in my web.config and that solved the problem. As this took me 2 days to figure out, I wanted to spare everyone the pain. The upside is I now have a custom session provider that uses a MySQL database so I guess the 2 days wasn't a complete loss.

    here is a link to generate a machinekey:
  3. THANK YOU! I have been looking everywhere for this solution.
  4. Iqdesign, thanks for posting your solution! I had been fighting with random logoffs for days, but adding a machinekey section to the web.config fixed everything.
  5. Great !!
    This solved my great problem in immediate session expiration !!
  6. shall I know how to configure the web.config?
    I've added the machine key inside web.config.but still found random logoff..
  7. Thank you Iqdesign, it solved the problem!
  8. I still have hair!

    Thank you! I was going crazy trying to figure this out. No more pulling my hair out.
  9. thank you , i have the same problem logout after 30 minutes although i set session time out 30 minutes in web config. After i put machine key as you mention , the logout problem solved but i get another problem ,the problem is the after 5 minutes the content of session is empty.i don't know how to sole this problem,,,,help plz??
  10. Ray


    Last edited by a moderator: Oct 14, 2015
  11. SQL session state works! (steps included)

    thank you iqdesign! I used the generated machine key from that site you provided, inserted into my web.config, and turned on SQL session state via IIS7 and session is being maintained, as expected.

    There are 5 steps necessary to implement SQL Session...

    1. Used the generated machine key from

    2. In web.config, under <configuration>, <system.web>, I added...

    <sessionState mode="SQLServer" allowCustomSqlDatabase="true" sqlConnectionString="data Source=<Winhost server>;database=<your database>;user id=<your db user>;password=<your db password>" cookieless="false" timeout="<pick a number>" />
    <machineKey validationKey="<generated validation key>" decryptionKey="<generated decryption key>" validation="SHA1" decryption="AES" />

    NOTE: Winhost automatically recycles the app pool under 3 conditions - over 75% spiked usage within 5 minutes, over 100MB memory or over 20 minutes timeout.

    3. Run IIS7 and setup the machine key, both methods and keys, to the exact same values you placed in your web.config.

    4. In IIS7, also setup your SQL session state with the same connection string you have in the web.config. I also checked "Enable custom database". Note you are setting timeout in seconds for session, in minutes for cookies.

    5. You need to submit a ticket to support to add "sql session schema" to your database.

    Hope this adds clarification to the topic.
    Last edited by a moderator: Oct 14, 2015
  12. cannot log in

    Hello, I was trying to reproduce these steps which scotty mention here in post before mine, but with no luck. Let me first describe my situation>
    I'm using mvc3 with nhibernate and c#. Everything goes as expected (communication with the db) but I cannot log in to my app. So after I was found these post I submit ticked to support to have sql session schema on my db, that was really fast done by support. After that I followed steps from scotty post (even twice to be sure) but same thing appear, cannot login.

    I asked for Winhost support for help, no luck. Worth to mention is that in my dev. environment everything runs smoothly.

    Here is my machine code screenshot and sql session state screenshot.

    please help
    Last edited by a moderator: Oct 14, 2015
  13. iqdesign: THANK YOU SO MUCH. You just helped me solve a problem with my new website that has been nagging at me for nearly 2 weeks. If I could give you a hug, I would.
  14. I am still having problems with this

    <machineKey validationKey="B #other key letters D" decryptionKey="E #other key letters D0" validation="SHA1" decryption="AES" />

    <sessionState mode="SQLServer" allowCustomSqlDatabase="true" sqlConnectionString="data;database=DB#####z;user id=DB######r;password=######" cookieless="false" timeout="300" />

    is there anything missing?

    I set up the sql session tables using aspnet_resql.exe locally does that matter?

    Last edited by a moderator: Oct 14, 2015
  15. Thank you thank you thank you iqdesign! :)

Share This Page