Stumped on FormsAuth Cookie Timing Out

[George Durzi]

hi all, I am totally stumped, and I need your help.
My authentication cookie (using FormsAuth against Active Directory) is
expiring way too often (like less than 20 minutes). I have it set to expire
in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
application during that time.

Here's all the code which deals with any authentication. Any feedback would
be GREATLY appreciated.

in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
/>
</authentication>

User Login Function (References LDAPAuthentication class, unnecessary for
this example)

#region LoginUser
private void LoginUser()
{
// Retrieve LDAP Connect String and Domain Name
string sADPath =
ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
string sDomain =
ConfigurationSettings.AppSettings["DomainName"].ToString();

// Instance of LdapAuthentication class
LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

try
{
if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
txtPassword.Value.Trim()))
{
// Retrieve a list of AD Groups the User is a Member of
string sGroups = oLdapAuth.GetGroups();

// Create the User's FormsAuthenticationTicket
FormsAuthenticationTicket oAuthTicket = new
FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
DateTime.Now.AddHours(8), true, sGroups);
// Encrypt the FormsAuthenticationTicket
string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

// Create the auth cookie for the User
HttpCookie oCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
oCookie.Expires = DateTime.Now.AddHours(8);

// Add the cookie to the collection
Response.Cookies.Add(oCookie);

// Redirect the User

Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(
), false));
}
else
{
divLoginError.Visible = true;
lblLogin.Text = "* Sorry, you entered incorrect login credentials,
please try again. *";
}
}
catch (Exception ex)
{
throw (ex);
}
}
#endregion

Then in my Application_AuthenticateRequest

#region Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// Retrieve FormsAuthentication Cookie Name
string sCookieName = FormsAuthentication.FormsCookieName;
// Retrieve Authentication Cookie
HttpCookie oCookie = Context.Request.Cookies[sCookieName];

// If cookie doesn't exist, exit function
if (null == oCookie) return;

// Create FormsAuthenticationTicket object
FormsAuthenticationTicket oAuthTicket = null;

try
{
// Retrieve FormsAuthenticationtTicket from encrypted cookie
oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
// Renew the ticket if it's expired
if (oAuthTicket.Expired) oAuthTicket =
FormsAuthentication.RenewTicketIfOld(oAuthTicket);
}
catch (Exception) { return; }

// If FormsAuthenticationtTicket doesn't exist, exit function
if (null == oAuthTicket) return;

// Retrieve array of Group Names from FormsAuthenticationtTicket
string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

// Create a GenericIdentity Object
GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
"LDAPAuthentication");
// Create a GenericPrincipal Object from the GenericIdentity and the
Groups Array
GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
sGroupsArray);

// Assign the current HTTP instance of the application to the
GenericPrincipal object
Context.User = oPrincipal;

}

 

[George Durzi]

Does anyone know if there's another timeout setting that's maybe in IIS?

I've set it in web.config, machine.config, and in my code when creating my
cookie

hi all, I am totally stumped, and I need your help.
My authentication cookie (using FormsAuth against Active Directory) is
expiring way too often (like less than 20 minutes). I have it set to expire
in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
application during that time.

Here's all the code which deals with any authentication. Any feedback would
be GREATLY appreciated.

in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
/>
</authentication>

User Login Function (References LDAPAuthentication class, unnecessary for
this example)

#region LoginUser
private void LoginUser()
{
// Retrieve LDAP Connect String and Domain Name
string sADPath =
ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
string sDomain =
ConfigurationSettings.AppSettings["DomainName"].ToString();

// Instance of LdapAuthentication class
LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

try
{
if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
txtPassword.Value.Trim()))
{
// Retrieve a list of AD Groups the User is a Member of
string sGroups = oLdapAuth.GetGroups();

// Create the User's FormsAuthenticationTicket
FormsAuthenticationTicket oAuthTicket = new
FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
DateTime.Now.AddHours(8), true, sGroups);
// Encrypt the FormsAuthenticationTicket
string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

// Create the auth cookie for the User
HttpCookie oCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
oCookie.Expires = DateTime.Now.AddHours(8);

// Add the cookie to the collection
Response.Cookies.Add(oCookie);

// Redirect the User

Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(
), false));
}
else
{
divLoginError.Visible = true;
lblLogin.Text = "* Sorry, you entered incorrect login credentials,
please try again. *";
}
}
catch (Exception ex)
{
throw (ex);
}
}
#endregion

Then in my Application_AuthenticateRequest

#region Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// Retrieve FormsAuthentication Cookie Name
string sCookieName = FormsAuthentication.FormsCookieName;
// Retrieve Authentication Cookie
HttpCookie oCookie = Context.Request.Cookies[sCookieName];

// If cookie doesn't exist, exit function
if (null == oCookie) return;

// Create FormsAuthenticationTicket object
FormsAuthenticationTicket oAuthTicket = null;

try
{
// Retrieve FormsAuthenticationtTicket from encrypted cookie
oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
// Renew the ticket if it's expired
if (oAuthTicket.Expired) oAuthTicket =
FormsAuthentication.RenewTicketIfOld(oAuthTicket);
}
catch (Exception) { return; }

// If FormsAuthenticationtTicket doesn't exist, exit function
if (null == oAuthTicket) return;

// Retrieve array of Group Names from FormsAuthenticationtTicket
string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

// Create a GenericIdentity Object
GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
"LDAPAuthentication");
// Create a GenericPrincipal Object from the GenericIdentity and the
Groups Array
GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
sGroupsArray);

// Assign the current HTTP instance of the application to the
GenericPrincipal object
Context.User = oPrincipal;

}

 

[George Durzi]

I thought I'd share the solution.

my colleague pointed out to me that there is a timeout attribute for
sessions that's set in the web.config. It's overriding everything else. I
had to scroll right to see it, that's why I was missing it!

Does anyone know if there's another timeout setting that's maybe in IIS?

I've set it in web.config, machine.config, and in my code when creating my
cookie

hi all, I am totally stumped, and I need your help.
My authentication cookie (using FormsAuth against Active Directory) is
expiring way too often (like less than 20 minutes). I have it set to expire
in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
application during that time.

Here's all the code which deals with any authentication. Any feedback would
be GREATLY appreciated.

in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
/>
</authentication>

User Login Function (References LDAPAuthentication class, unnecessary for
this example)

#region LoginUser
private void LoginUser()
{
// Retrieve LDAP Connect String and Domain Name
string sADPath =
ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
string sDomain =
ConfigurationSettings.AppSettings["DomainName"].ToString();

// Instance of LdapAuthentication class
LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

try
{
if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
txtPassword.Value.Trim()))
{
// Retrieve a list of AD Groups the User is a Member of
string sGroups = oLdapAuth.GetGroups();

// Create the User's FormsAuthenticationTicket
FormsAuthenticationTicket oAuthTicket = new
FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
DateTime.Now.AddHours(8), true, sGroups);
// Encrypt the FormsAuthenticationTicket
string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

// Create the auth cookie for the User
HttpCookie oCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
oCookie.Expires = DateTime.Now.AddHours(8);

// Add the cookie to the collection
Response.Cookies.Add(oCookie);

// Redirect the User

Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Value.Trim(

), false));
}
else
{
divLoginError.Visible = true;
lblLogin.Text = "* Sorry, you entered incorrect login credentials,
please try again. *";
}
}
catch (Exception ex)
{
throw (ex);
}
}
#endregion

Then in my Application_AuthenticateRequest

#region Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender,

EventArgs

e)
{
// Retrieve FormsAuthentication Cookie Name
string sCookieName = FormsAuthentication.FormsCookieName;
// Retrieve Authentication Cookie
HttpCookie oCookie = Context.Request.Cookies[sCookieName];

// If cookie doesn't exist, exit function
if (null == oCookie) return;

// Create FormsAuthenticationTicket object
FormsAuthenticationTicket oAuthTicket = null;

try
{
// Retrieve FormsAuthenticationtTicket from encrypted cookie
oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
// Renew the ticket if it's expired
if (oAuthTicket.Expired) oAuthTicket =
FormsAuthentication.RenewTicketIfOld(oAuthTicket);
}
catch (Exception) { return; }

// If FormsAuthenticationtTicket doesn't exist, exit function
if (null == oAuthTicket) return;

// Retrieve array of Group Names from FormsAuthenticationtTicket
string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

// Create a GenericIdentity Object
GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
"LDAPAuthentication");
// Create a GenericPrincipal Object from the GenericIdentity and the
Groups Array
GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
sGroupsArray);

// Assign the current HTTP instance of the application to the
GenericPrincipal object
Context.User = oPrincipal;

}