Changing session timeout for ASP.NET MVC 4 app - session

My app is configured to run through IIS. I'm trying to change the session timeout from the default 20 minutes to 1 minute.
I've tried the following, with no success:
Changed the Idle Time-out (minutes) property in the App Pool (figure 1)
Changed the Time-out property in the ASP page of the App configuration in IIS (figure 2)
Added <sessionState mode="InProc" timeout="1"/> under <configuration><system.web>
Any ideas or suggestions would be greatly appreciated.
Thanks.

Related

Session Timeout not working on classic ASP

I am working on classic Asp application. I am trying to set the session timeout as 5 minutes. But it's not working. I tried with following solutions but no luck.
Tried by setting the session.timeout = 5in web.config.
Tried by setting the session.timeout = 5 in global.asa file in both Application and Session event.
Set the session.timeout property of ASP in IIS.
Set the idle timeout of application pool of the web page.
I am using IIS8.5 and server 2012 OS.
Anyone help me to solve this issue?
Have you try to put session.timeout in very top of your pages, before all script tag? Can you show your web.config and global.asa? If success you need to put session.timeout in all pages

Login Session lost sometimes when redirect to action in asp.net mvc 3

While deploy an asp.net mvc 3 project, I got the issue recently which I have no idea why it happened.
I have a class named LoginSesion which will get the Authenticated User when user login and store in session.
public static LoginSession AuthenticatedUser
{
get
{
if (HttpContext.Current.Session["LoginSession"] != null)
return HttpContext.Current.Session["LoginSession"] as LoginSession;
return null;
}
set
{
HttpContext.Current.Session["LoginSession"] = value;
}
}
When I run the project, try to redirect user to a specific URL (e.g. http://localhost/user/details/1), the HttpContext.Current.Session["LoginSession"] come to Null and redirect user back to Login page.
The weird thing is this does not always null, just sometimes. And when server runs too slow, it happens too although the session has not expire yet.
I have set in the web.config the session timeout as follow:
<authentication mode="Forms">
<forms loginUrl="~/UserProfiles/Logon" timeout="2880" />
</authentication>
and
<sessionState mode="InProc" timeout="2880" />
I'm using IIS 7.x for publishing and testing.
You have to consider the following things:
1) The sessionState timeout is updated (restart from 0) every time a user calls a page. By contrast, the form timeout is updated every time a user calls a page AND at least half of the timeout (2880 in your case) is passed. That means, the two timeouts are not synchronized.
2) Pay attention to the Idle Time-out property in IIS application pool. It is about the time after which the application pool is recycled. That means that session variables are lost.
That what you need - add this code to web.config/system.web:
<machineKey validationKey="C5034160419189092507195D247C6FCD9F54D7A967372A23078E09F6440087328A874AD69955F441B526A265CC3A17CDEAAE8AB21A16868F549C3077C39C8E9F" decryptionKey="078FAD13FAC4E41EB0762F0B34E3F4990A144897C3387A70A746187F3AECD8DE" validation="SHA1" decryption="AES" />
<sessionState timeout="300" mode="InProc"></sessionState>
this machinKey was generated from http://aspnetresources.com/tools/machineKey

show session expired message for longer time before redirecting to login page

All,
in my liferay portlet when the session expires, the page gets redirected to login page.
Before redirecting to login page we are showing the message saying Session expired, redirecting to login page. Problem is that the message just flashes before the login page appears. I want to show this message say for some 3 sec before redirecting to login page. Is there any portal-ext property to specify this. My current contents of portal-ext.properties file is
session.timeout.warning=1
session.timeout.auto.extend=false
session.timeout.redirect.on.expire=true
help..
session.timeout.warning indicates the duration of the countdown warning.
For eg., if it is set to 1, it means User will be warned for 1 minute.
Below configuration in web.xml indicates that if User remains idle for 30 minutes without doing any activity, his Session will be destroyed.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
For more details on this behaviour, please read this bug in session warning interpretation post.
As a side note there is a nice Jquery plugin for your requirement.
If you want Session to be destroyed after 30 mins but at 29th minute you want to Warn the User, then your code will look like below,
$j.idleTimeout('#dialog', 'div.ui-dialog-buttonpane button:first', {
idleAfter: 10440, // 29mins
..
..
Now as you know your session will expire after 30 mins. So, after 30th min, your session will expire and return to your configured page.
This is possible and you can take help of following JQuery plugin which provides this feature with customization at different levels. You can configure these customization when the plugin is initialized, like one below.
....
force: 300000,
....
https://www.jqueryscript.net/other/Session-Timeout-Alert-Plugin-With-jQuery-userTimeout.html
Demo: https://www.jqueryscript.net/demo/Session-Timeout-Alert-Plugin-With-jQuery-userTimeout/

reasons for being logged out before actual timeout in Forms Authentication

I have a asp.net MVC 3.0 website hosted on a subdomain of a main website . Asp.net version is set to .Net 4.0 integrated pipeLine .
the Forms Authentication settings is as below :
<authentication mode="Forms">
<forms
cookieless="UseCookies"
defaultUrl="~/home"
enableCrossAppRedirects="false"
path="/"
requireSSL="false"
loginUrl="~/account/login"
protection="All"
timeout="120"
slidingExpiration="true"
name=".SubDomainAuthCookie"></forms>
</authentication>
but it logs me out just after few minutes each time ! the Host Admins say that is maybe because of improper coding or heavy tasks that cause the application pool to reset , but it's a simple mvc website with EF ORM . I can't figure out what to do ! what should I look for as possible cause of this situation ?
Update :
after checking Application_Start , I find that it's the problem , I logged Application_Start() and the result is whenever I'm being logged out , a log is added .
12/6/2012 12:14:03 PM ==> Application started
12/6/2012 12:16:35 PM ==> Application started
12/6/2012 12:22:59 PM ==> Application started
strange ,but real . there is nothing complicated or heavy in the logic ! Could EF be the problem , does it consume a lot of memory/CPU that cause application pool to reset ?
Check there's no other application using name=".SubDomainAuthCookie". These applications can overwrite their cookies.
Are you using FormsAuthentication.SetAuthCookie before calling FormsAuthentication.RedirectFromLoginPage in login page? If not, probably authentication cookies are not set properly.
Try to log Application_End of global.asax.cs to know if your app is recycling too much.
protected void Application_End(object sender, EventArgs e)
{
/log the Application_End/
}
As mentioned by #ZippyV in one of the answers below, the reason behind this is that IIS is by default set to automatically generate a pair of keys for decryption and validating authorization cookie contents (as well as other things) on each AppPool recycle called MachineKey. Also mentioned in this question
When this key is changed, stored authorization cookie contents on all browsers is no longer readable and authorization is lost.
The most simple remedy is to use a static MachineKey in your web.config
Also try to set the cookies to be the parent domain. more info here.
I had this problem too when my hosting provider recycled my site's process too often. For some reason the authentication cookie becomes invalid because the encryption/decryption keys change. And so your site is not able to read the authentication cookie anymore.
You can solve this problem by specifying the keys in your web.config so that they can't get changed by your hosting provider:
Go to http://aspnetresources.com/tools/machineKey and click the button
Copy the generated tag
Open your web.config file and paste the generated tag inside <system.web>
You also want to set the expire time of cookie which has been generated while you log in.
And in form authentiction you have to use this.
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, //Here Userinformation, DateTime.Now, DateTime.Now.AddDays(1), false, string.Empty);
Here i have set the expire of cookie to DateTime.Now.AddDays(1) (loggin date+1day) so its too long it will be logged in.
So the created ticket will be expired on next day from when you logged in.
And in Web.Config
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Now for a long time you can be logged in.
Hope it helps!!!
Check these links for deeper clarification on create loggin and expire time.
http://www.hanselman.com/blog/WeirdTimeoutsWithCustomASPNETFormsAuthentication.aspx
And
http://codeasp.net/blogs/vivek_iit/microsoft-net/848/forms-authentication-timeout-vs-session-state-timeout
Have you checked value in SessionState? It's default value is 20 Mins. You need to update it to same or greater than form authentication ticket.
Please add/update following tag in your configuration file.
**<sessionState timeout="120" />**

IIS 7.5 not taking notice of customErrors for 404 returned by MVC 3 app

I'm running my MVC 3 app (recently updated from 2) on IIS 7.5 (Win 7 64bit) with a .NET 4.0 integrated pipeline app pool and have the following set-up in web.config:
<customErrors mode="On" defaultRedirect="~/Problem/Oops" redirectMode="ResponseRedirect">
<error statusCode="404" redirect="~/Problem/NotFound" />
</customErrors>
If an action method on a controller throws an exception the server and hence generates a 500 errorcode it correctly sends the browser to the default redirect URL.
However if my action deliberately returns a HttpNotFoundResult via HttpNotFound() I get the IIS 7.5 404.0 error page and not the one indicated in my web.config.
If I enter a URL that doesn't exist on my app like http://localhost/MyApp/FOO then I do get shown the page as indicated by the web.config.
Anybody have any ideas why I'm not getting redirected to my custom 404 error page when using HttpNotFound()?
Please try below syntax instead of calling HttpNotFound and let me know the result ;)
throw new HttpException(404, "NotFound");
Have you tried setting Response.TrySkipIisCustomErrors = true;?
(see http://blog.janjonas.net/2011-04-13/asp_net-prevent-iis_75_overriding-custom-error-page-iis-default-error-page)

Resources