asp.net authenication timeout - UK Web Hosting | Dedicated Server Windows and Linux VPS Forum

**westy** · #1 (**permalink**) 23-01-2008, 17:17

I have an on going problem with the users of my asp.net website hosting being logged off all the time. They can be logged off after just a few minutes.

My web site hosting uses the asp login control and forms authentication for users to login and that works fine.

I have the following in my web.config :

HTML Code:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="Default.aspx" timeout="525600" slidingExpiration="true" defaultUrl="Default.aspx"/>
</authentication>

The timeout property is set, in minutes, to 1 year however they are logged off after a few minutes of inactivity. My web site hosting is hosted on eurofighter.

Any ideas?

**eUK-Martin** · #2 (**permalink**) 23-01-2008, 17:26

The default setting for an Application Pool to get recycled is "5 mins idle time". If a user or a session is idle for 5 mins the application Pool will get recycled clearing the idle session.

One can edit these settings if they have a dedicated application pool for their web site hosting however there is not settings in Plesk to do so. You will need to ask us to it for you. It can be via Live chat or support system.

**westy** · #3 (**permalink**) 23-01-2008, 21:02

Thanks for the advice Martin. I will do that.

Rock · #4 (**permalink**) 24-01-2008, 02:38

It's insecure to have authenticated sessions to be kept active for that long duration. I'd advise you limit the timeout value upto 10-15 mins MAX.
One can re-authenticate if that value is reached or crossed...

**westy** · #5 (**permalink**) 28-01-2008, 14:26

OK, i've had this changed to 1 hour. The nature of my website hosting is that people lookup some information on the site, then go away to other website hostings to act on that information, and then return to my website hosting for more information. It was annoying to have to log back in each time but this is now sorted

However i have another related problem. My web site hosting has a 'remember me' option when you login so you do not have to login again after a browser shut down and restart. I previously thought it was just not working but it seems that it is. Now the recycling timeout has been set to 1 hour it does work, provided that it's within 1 hour of closing your browser. Obvously there may be days between visits to the website hosting so this is not ideal.
I have read that if the decryption and validation keys used for encryption are not maintained between App Pool recycling then this results in any encrypted cookies, including the forms auth cookie not being decrypted on any subsequent requests from the browser and they are discarded. A way around this is to edit the machine.config with a static decryption and validation keys.

Heres a website hosting that explains it better then me:
usingtangent.blogspot.com/2006/10/cookie-timeout-problem.html

Can you edit the machine.config with a static decryption and validation key for my website hosting to sort this problem?

**eUK-Martin** · #6 (**permalink**) 28-01-2008, 15:08

Well machine.config is a server end configuration file for ASP .NET and its sessions. Therefore it would be posisble to edit it as we would like to have the default settings for all the other clients on the server. However you can surely have it edited on non-shared plans, like VPS Hosting, semi-dedicated or dedicated.

**westy** · #7 (**permalink**) 28-01-2008, 16:24

Hi Martin

Sorry i'm not quite clear on what your saying. Correct me if i misunderstood but are you saying that for my shared hosting on eurofighter it is NOT possible for you to edit the machine.config on my behalf because it will affect all the other clients on that server but it IS possible on a non-shared plan?

Thanks
westwok

**eUK-Martin** · #8 (**permalink**) 28-01-2008, 17:34

Quote:

Originally Posted by westy

Hi Martin

Sorry i'm not quite clear on what your saying. Correct me if i misunderstood but are you saying that for my shared hosting on eurofighter it is NOT possible for you to edit the machine.config on my behalf because it will affect all the other clients on that server but it IS possible on a non-shared plan?

Thanks
westwok

Yeah thats correct.. any change to machine.config will effect all the accounts/domains on the server. If you want we can disable Application pool recycling on your domain however then it won't kill any sessions.. whether required or not.

**westy** · #9 (**permalink**) 28-01-2008, 23:11

Rather than turn it off, how about a compromise of setting it to recycle every 43200 minutes (30 days)? This way users who choose the option of 'Remember Me' will only have to log back on once a month but the web site hosting still gets the benefit of being recycled every so often.

**eUK-Martin** · #10 (**permalink**) 29-01-2008, 13:46

This can definitely be achived by mailing us on windows [at] eukhost.com. However I am sure there should be a different solution to over come this problem or rather make it more secure.