Aspnet unexpected logout

Question

I'm working in a project where we are using aspnet mvc 5 and we have some problems with a unexpected logout after 5 min of inactivity in a page.

I have this in my web.config:

<sessionState timeout="30"/>
<authentication mode="None"/>

What you think are causing this about project?

If need more information ask please.

Thanks.

PS: My AuthenticationType is ApplicationCookie

PS2: Added machine key to web.config and still logout after a couple of minutes:

<machineKey validationKey="string" decryptionKey="otherstring" validation="SHA1" decryption="AES" />

PS3: Locally everything works fine.

What is the setting of your application pool recycling time? I assume you are using InProc Session Mode. — Hatjhie, Oct 09 '14 at 16:03
My application is hosted in a cloud service, how i can check that time ? — jony17, Oct 10 '14 at 15:26
Just checking that the machine key went in the correct spot (inside of the system.web configuration tags) — Tommy, Oct 10 '14 at 16:23

Tommy · Answer 1 · 2014-10-10T16:02:21.707

4

SessionState timeouts have nothing at all to do with login timeouts. The users information for a login is stored in an encrypted cookie. Based on what you said your Authentication Type is, you need to change the setup of your ASP Identity in the StartUp class.

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            LogoutPath = new PathString("/Account/Logout"),
            //Here is where you tell the system how long someone can stay logged in
            //while being inactive.
            ExpireTimeSpan = System.TimeSpan.FromMinutes(60),

            SlidingExpiration = true,
            CookieName = "LoginCookie"
        });

Edit

Given that you are hosting on a cloud service, you are most likely not sitting on a single server, but rather your application is deployed to multiple servers behind a load balancer which directs request to multiple machines. When you are not guaranteed to be on a single server, you need to define the MachineKey in your web.config. This key is what is used to encrypted/decrypt the LoginCookie. If the MachineKey is not defined, IIS makes one up. When on multiple servers, each server in that case would have its own MachineKey. Since the keys are different, they cannot decrypt each others login cookies and thus, they think you are not logged in.

    <system.web>
        <machineKey validationKey="BigLongNumber" decryptionKey="DifferentBigLongNumber"
validation="SHA1" decryption="AES" />
    </system.web>

Machine Key Generator

edited Oct 10 '14 at 16:02

answered Oct 09 '14 at 17:08

Tommy

38,802
9
88
118

Ok, now for some reason after a couple minutes inactive when i refresh page LoginCookie dissapear and logout user. What could cause this ? – jony17 Oct 10 '14 at 15:09
@jony17 - it this across all browsers? – Tommy Oct 10 '14 at 15:24
I will check. I'm testing mostly on chrome. – jony17 Oct 10 '14 at 15:29
Yes, it happens on firefox and chrome. @Tommy – jony17 Oct 10 '14 at 15:47
The only thing I can think of is to check if your server has the correct time on it. The cookie is time based and if the server has the incorrect time, it may be thinking that the cookie has expired. If you increase the ExpireTimeSpan to something crazy like 1 year, do you still get the same issue? – Tommy Oct 10 '14 at 15:49
I already put in with 5 days and still logout. I will try something more crazy. – jony17 Oct 10 '14 at 15:50
I wouldn't think it would be that far off. :) – Tommy Oct 10 '14 at 15:53
@jony17 - Where are you deploying this application to? – Tommy Oct 10 '14 at 15:54
It's on a cloud service, with Windows 2012 .NET framework 4.5 e SQL Server 2012. – jony17 Oct 10 '14 at 15:55
Still the same. This is my cookies: [link](https://www.dropbox.com/s/2hbh5g1mbefykcc/cookies.png?dl=0) – jony17 Oct 10 '14 at 16:23
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/62838/discussion-between-jony17-and-tommy). – jony17 Oct 10 '14 at 16:27

score 2 · Accepted Answer · answered Oct 12 '14 at 03:55

2

Please extend your application pool timeout. It would solve the problem as from config posted, your website is using Session InProc Mode, the default one.

Once the application recycled, your information stored in w3wp process would be gone.

Since you are using cloud services, you might also want to check how the load balancing works.

If they are not using sticky session, best is you change your session mode as well to StateServer or SQLMode.

Hope it helps. Let me know the result. Thanks

answered Oct 12 '14 at 03:55

Hatjhie

1,356
2
12
25

Thanks for the answer. I tried SQLMode, because i don't have permissions to extend application pool timeout, and is fine now. In the beginning i'm facing some difficulties because i'm in a shared hosting and have limited access to the web server, so i run the script on my local DB, backup and restore it to the server DB. – jony17 Oct 13 '14 at 13:01

Aspnet unexpected logout

2 Answers2

Linked