Session Time-Out after 10 minutes

0
votes

We've got a huge problem. We're using the Belgian eID (electronic identity card, this is a smart card). The Claim which is returned, is used by our Forms Authentication.

Everything works fine, but after 10 minutes (of activity or inactivity, doesn't matter), it automatically logs out.

Here the code fragment where we create the session:

private void CreateSession(ClaimsPrincipal transformedPrincipal)
{
    SessionSecurityToken sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(1));
    FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
}

In the Web.config, we set the session timeout:

<sessionState cookieless="false" timeout="60" />

On the IIS server, we set the Application Pool Idle Time-out to 8 hours.
We also set the Regular Time Interval of the recycling to 8 hours.

1
asp.netsessionasp.net-mvc-4forms-authentication
please check your web.config file extend the lifetime of sessions.Arif YILMAZ
Are you sure its the session and not the forms authentication that is timing out? i.e. do they have to re-log in? Also, what is your cookie expiry time?Dominic Zukiewicz
@ayilmaz: We already tried this. Didn't work.ThirtyOne34
@DominicZukiewicz: I am not sure which one is timing out. They have to re-login. We believe our cookie expiry time is set by the SessionSecurityToken (i.e. 1 hour), is this incorrect?ThirtyOne34

1 Answers

0
votes

Quick hack:

Set the session 2 minutes later than the forms timeout. This ensures that the session is not killed on the exact second the authentication dies. But remember, sessions are independent of forms (see this blog) for more details.

<system.web>
   <authentication mode="Forms">
      <forms timeout="20" loginUrl="-- Login Page here --"/>
   </authentication>

   <sessionState mode="InProc" timeout="22"/>
</system.web>

Deeper investigation:

I would try and work out which one specifically is timing out. This is a fairly easy test, and will save you quite a lot of time.

So, the sections required are these with a timeout of 1 minute and session of 10000

<system.web>
   <authentication mode="Forms">
      <forms timeout="1" loginUrl="-- Login Page here --"/>
   </authentication>

   <sessionState mode="InProc" timeout="10000"/>
</system.web>

So login, browse to a page, wait one minute and refresh the site and you should see the login page.

In your favourite browser, open a developer toolbar and browse the cookies that are stored for this site. There should be 2 cookies:

  • ASP.NET_SessionId - to track your session
  • .ASPXAUTH - to track your login (unless your browser has deleted it due to expiration)

You should see that the expiration time for the session (ASP.NET_SessionId) is in the future, but the form (.ASPXAUTH) has expired.

Login again, and your session should be the same as before.

Reverse the settings and you should find the reverse is happening i.e you are logged in a for a long period of time, but it is resetting.

Tracing the session end event

One more you can try is in your global ASAX. Make sure your sessionMode='InProc' in your web.config and add a method:

// Only works with sessionMode='InProc'
protected void Session_End(object sender, EventArgs e)
{
   if(Debugger.IsAttached)
      Debugger.Break();
}

The breakpoint will hit when the session dies, which you may be able to track back via the call stack to the exact reason why is has expired. This can come about when code calls Session.Abandon() as well.