I am running into an issue with ASP.NET MVC where it is forcing the user to log back in after about 20 mins of inactivity.
I am using Forms Authentication and have increased the time-out in the config file as:
<forms loginUrl="~/Account/LogOn" timeout="9999999" />
I am also setting the session time-out in the config file as:
Still plugging away at this ... is it possible to store the BusinessPrincipal in a cookie?
I believe a cookie wouldn't be able to hold the amount of information required for a principal. It would also be a security risk (any user could change the cookie and gain unauthorized access).
I'm wondering if you need to set the timeout period in IIS (which I believe by default is 20 minutes).
I've set the timeout for the FormsAuthorization, for the SessionState and AppPool ... and I still get a timeout. I had a similar issue with Web Forms and ended up just relying on Session to determine Authentication. I may need to do just do that for MVC.
Your app pool may be getting recycled and thus loosing your session data. Check your event viewer for app pool resets.
Also I would try switching your session from in memory to sql or out of sate server and then test it out.
You can test form timeouts and session timeouts by removing the authentication and session cookies in your browser.
FYI, I believe the code above has a bug...but I don't recall exactly what it is. You may want to test out removing the session cookie and the authentication cookie separately to test the scenario were one is valid but the other one isn't.
I had to up the IdleTimeout in the AppPool ... that worked ... just blows that I have to change the timeout for the:
Copyright (c) Marimer LLC