I have done this in my web.config.
<system.web>
<sessionState mode="InProc" timeout="3"></sessionState>
<authentication mode="Forms" >
<forms loginUrl="~/Account/Login" timeout="2880"/>
</authentication>
After session timeout it clears all the data, but it is not redirected to the login page.
Session timeout has nothing to do with authentication timeout - an InProc session is held in memory whereas the authentication token is a cookie which contains an expiry date/time.
What you would have to do is force the expiration of the authentication ticket in the Session_Ended event in the global.asax - see this answer on how to do that as it's not just as simple as calling FormsAuthentication.SignOut.
Related
I am using Forms authentication in IIS/MVC.
<authentication mode="Forms">
<forms loginUrl="~/Login" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
I am issuing a HTTP PUT webapi request, and it times out because my cookie expired. The user quite rightly is redirected to http://Login but the request to the Login url is a PUT rather than a GET.
because my Controller only supports GET this results in a 404.
Is there a way to force the redirect to the login Url to always be a GET regardless of the type of the original request.
When there is a redirect to Login action method, by default, the type is PUT even though the previous request is PUT/GET/POST/DELETE.Just tried your scenario. Had decorated an action with POST and it redirected to Login with type GET.Could you check if u missed anything else.
My MVC 5 site has web.config like this:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Account/Login"
timeout="2880" slidingExpiration="true" protection="All" />
</authentication>
but timeout doesn't work. It doesn't matter what value I give here, it always expires after 20-30 mins. How can I maintain users logged in for longer period or until they sign-out?
Is there any way I can achieve this using "In-Proc" only? Or I am missing something here?
You are dealing with two separate issues, auth timeout and session timeout. Session timeout is controlled by the following key in web.config...
<system.web>
<sessionState mode="InProc" timeout="30" />
</system.web>
I'm not sure which you are encountering but I suspect it is the session timeout you are encountering rather than the authentication timeout... Try removing the timeout from your forms tag entirely and see if that gives you what you are looking for.
More information here-
forms timeout issue in asp.net mvc
My current running configuration looks like this
<sessionState mode="InProc" timeout="30" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" protection="All" name="Auth_Cookie" path="/" slidingExpiration="true" timeout="30" />
so I expect it to at least let the user be logged in for half an hour (if he does not make any requests)
but the session time out is hit like after 3-4 minutes if the user is not active. I mean global.asax's Session_End event is hit in this time and then in Application_PostAcquireRequestState event I check if any session variables are null and if they are then I sign the user out and redirect him to the log in page. I cant see what is the problem. Am I misunderstanding how this whole works ? what should I do in order to achieve what I want. Thanks in advance
From your comment:
I am constantly rebuilding the solution. is that be it ? can it be
clearing session variables ?
So basically you are recycling the application pool killing everything stored in the session. The biggest problem with ASP.NET Session is that by default it is stored in-memory:
<sessionState mode="InProc"
This has the drawback that if the application pool is restarted you will lose everything you stored in it. And don't forget that the application pool could be restarted by IIS at any time. For example after some period of inactivity or if some CPU/memory thresholds are reached. Also if you deploy your application in a web farm, InProc session simply won't work because the nodes of your farm cannot share session information.
All those drawbacks are the reasons why I never use ASP.NET Session in my web applications and simply put this in my web.config:
<sessionState mode="Off"
In my Web.config file, I have been trying to set the session timeout. I used the following code:
<configuration>
<system.web>
<sessionState timeout="1"></sessionState>
</system.web>
</configuration>
When I ran the app, the timeout was still set to the default 20 minutes. Trying to figure out why the settings are not applying. Please help! Thanks!
Don't be confused between ASP.NET session timeout (which is what you set) and Forms Authentication cookie timeout which is something entirely different and controlled by the <forms> tag:
<authentication mode="Forms">
<forms
loginUrl="/login"
timeout="1" />
</authentication>
ASP.NET session uses cookies to track users (it has nothing to do with authentication) and associate their unique id with a hashtable stored on the server. Forms authentication on the other hand is a means of tracking authenticated users in ASP.NET. It uses cookies but it is a different cookie than the ASP.NET session.
How do I time out the session a ASP.NET MVC logged in user after about 5 mins or so forcing him to have to login in order to continue?
Since MVC is just like WebForms in that they both run on ASP.NET and assuming you're using Forms Authentication you can either:
Force the user to logout with FormsAuthenitcation.SignOut() which will clear their authentication cookie; or
Set the forms authentication timeout value (default is 30 minutes). For example:
<system.web>
<authentication mode="Forms">
<forms timeout="5"/>
</authentication>
</system.web>