Issues with storing the BusinessPrincipal in Session for ASP.NET MVC

raz0rf1sh posted on Wednesday, March 03, 2010

I am running into an issue with ASP.NET MVC where it is forcing the user to log back in after about 20 mins of inactivity.

I am using Forms Authentication and have increased the time-out in the config file as:

</authentication>

I am also setting the session time-out in the config file as:

I am basing this off of Rocky's ASP.NET MVC example and have the following in my global.asax:

protected void Application_AcquireRequestState(object sender, EventArgs e)

{

if (HttpContext.Current.Handler is IRequiresSessionState)

{

if (Csla.ApplicationContext.AuthenticationType == "Windows")

return;

System.Security.Principal.IPrincipal principal;

try

{

principal = (System.Security.Principal.IPrincipal)

HttpContext.Current.Session[MyMembershipProvider.SESSION_KEY];

}

catch

{

principal = null;

}

if (principal == null)

{

if (this.User.Identity.IsAuthenticated && this.User.Identity is FormsIdentity)

{

// no principal in session, but ASP.NET token

// still valid - so sign out ASP.NET

FormsAuthentication.SignOut();

this.Response.Redirect(this.Request.Url.PathAndQuery);

}

// didn't get a principal from Session, so

// set it to an unauthenticted PTPrincipal

BusinessPrincipal.Logout();

}

else

{

// use the principal from Session

Csla.ApplicationContext.User = principal;

}

From what I can tell it should ONLY time-out after 120 minutes of inactivity ... but for some reason it always seems to time-out after 20 minutes of inactivity. I have know idea why this is happening, any ideas?

I am toying with the idea of just dumping Forms Authentication and handling it myself via Session, but I'm afraid I would lose functionality like [Authorize] attributes and so on. Trying not to go down this path.

raz0rf1sh replied on Thursday, March 04, 2010

Still plugging away at this ... is it possible to store the BusinessPrincipal in a cookie?

ajj3085 replied on Thursday, March 04, 2010

I believe a cookie wouldn't be able to hold the amount of information required for a principal. It would also be a security risk (any user could change the cookie and gain unauthorized access).

dpk replied on Thursday, March 04, 2010

I'm wondering if you need to set the timeout period in IIS (which I believe by default is 20 minutes).

raz0rf1sh replied on Saturday, March 06, 2010

I've set the timeout for the FormsAuthorization, for the SessionState and AppPool ... and I still get a timeout. I had a similar issue with Web Forms and ended up just relying on Session to determine Authentication. I may need to do just do that for MVC.

xAvailx replied on Monday, March 15, 2010

Your app pool may be getting recycled and thus loosing your session data. Check your event viewer for app pool resets.

Also I would try switching your session from in memory to sql or out of sate server and then test it out.

You can test form timeouts and session timeouts by removing the authentication and session cookies in your browser.

FYI, I believe the code above has a bug...but I don't recall exactly what it is. You may want to test out removing the session cookie and the authentication cookie separately to test the scenario were one is valid but the other one isn't.

raz0rf1sh replied on Saturday, March 20, 2010

I had to up the IdleTimeout in the AppPool ... that worked ... just blows that I have to change the timeout for the:

Forms Authentication Cookie
Session
AppPool

Craziness! Smile