Stumped on FormsAuth Cookie Timing Out

[George Durzi]

hi all, I am totally stumped, and I need your help.
My authentication cookie (using FormsAuth against Active Directory) is
expiring way too often (like less than 20 minutes). I have it set to expire
in 8 hours. I'm not deploying anything to the site, so I'm not resetting the
application during that time.

Here's all the code which deals with any authentication. Any feedback would
be GREATLY appreciated.

in web.config
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
/>
</authentication>

User Login Function (References LDAPAuthentication class, unnecessary for
this example)

#region LoginUser
private void LoginUser()
{
// Retrieve LDAP Connect String and Domain Name
string sADPath =
ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
string sDomain =
ConfigurationSettings.AppSettings["DomainName"].ToString();

// Instance of LdapAuthentication class
LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);

try
{
if (true == oLdapAuth.IsAuthenticated(sDomain, txtUserName.Value.Trim(),
txtPassword.Value.Trim()))
{
// Retrieve a list of AD Groups the User is a Member of
string sGroups = oLdapAuth.GetGroups();

// Create the User's FormsAuthenticationTicket
FormsAuthenticationTicket oAuthTicket = new
FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
DateTime.Now.AddHours(8), true, sGroups);
// Encrypt the FormsAuthenticationTicket
string sTicket = FormsAuthentication.Encrypt(oAuthTicket);

// Create the auth cookie for the User
HttpCookie oCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
oCookie.Expires = DateTime.Now.AddHours(8);

// Add the cookie to the collection
Response.Cookies.Add(oCookie);

// Redirect the User

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(
), false));
}
else
{
divLoginError.Visible = true;
lblLogin.Text = "* Sorry, you entered incorrect login credentials,
please try again. *";
}
}
catch (Exception ex)
{
throw (ex);
}
}
#endregion

Then in my Application_AuthenticateRequest

#region Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// Retrieve FormsAuthentication Cookie Name
string sCookieName = FormsAuthentication.FormsCookieName;
// Retrieve Authentication Cookie
HttpCookie oCookie = Context.Request.Cookies[sCookieName];

// If cookie doesn't exist, exit function
if (null == oCookie) return;

// Create FormsAuthenticationTicket object
FormsAuthenticationTicket oAuthTicket = null;

try
{
// Retrieve FormsAuthenticationtTicket from encrypted cookie
oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
// Renew the ticket if it's expired
if (oAuthTicket.Expired) oAuthTicket =
FormsAuthentication.RenewTicketIfOld(oAuthTicket);
}
catch (Exception) { return; }

// If FormsAuthenticationtTicket doesn't exist, exit function
if (null == oAuthTicket) return;

// Retrieve array of Group Names from FormsAuthenticationtTicket
string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});

// Create a GenericIdentity Object
GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
"LDAPAuthentication");
// Create a GenericPrincipal Object from the GenericIdentity and the
Groups Array
GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
sGroupsArray);

// Assign the current HTTP instance of the application to the
GenericPrincipal object
Context.User = oPrincipal;

}

[George Durzi]

Does anyone know if there's another timeout setting that's maybe in IIS?

I've set it in web.config, machine.config, and in my code when creating my
cookie

"George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
news:u2TNNRtfDHA.2664@TK2MSFTNGP11.phx.gbl...

> hi all, I am totally stumped, and I need your help.
> My authentication cookie (using FormsAuth against Active Directory) is
> expiring way too often (like less than 20 minutes). I have it set to

expire

> in 8 hours. I'm not deploying anything to the site, so I'm not resetting

the

> application during that time.
>
> Here's all the code which deals with any authentication. Any feedback

would

> be GREATLY appreciated.
>
> in web.config
> <authentication mode="Forms">
> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480" path="/"
> />
> </authentication>
>
> User Login Function (References LDAPAuthentication class, unnecessary for
> this example)
>
> #region LoginUser
> private void LoginUser()
> {
> // Retrieve LDAP Connect String and Domain Name
> string sADPath =
> ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
> string sDomain =
> ConfigurationSettings.AppSettings["DomainName"].ToString();
>
> // Instance of LdapAuthentication class
> LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
>
> try
> {
> if (true == oLdapAuth.IsAuthenticated(sDomain,

txtUserName.Value.Trim(),

> txtPassword.Value.Trim()))
> {
> // Retrieve a list of AD Groups the User is a Member of
> string sGroups = oLdapAuth.GetGroups();
>
> // Create the User's FormsAuthenticationTicket
> FormsAuthenticationTicket oAuthTicket = new
> FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
> DateTime.Now.AddHours(8), true, sGroups);
> // Encrypt the FormsAuthenticationTicket
> string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
>
> // Create the auth cookie for the User
> HttpCookie oCookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
> oCookie.Expires = DateTime.Now.AddHours(8);
>
> // Add the cookie to the collection
> Response.Cookies.Add(oCookie);
>
> // Redirect the User
>
>

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(

> ), false));
> }
> else
> {
> divLoginError.Visible = true;
> lblLogin.Text = "* Sorry, you entered incorrect login credentials,
> please try again. *";
> }
> }
> catch (Exception ex)
> {
> throw (ex);
> }
> }
> #endregion
>
> Then in my Application_AuthenticateRequest
>
> #region Application_AuthenticateRequest
> protected void Application_AuthenticateRequest(Object sender, EventArgs

e)

> {
> // Retrieve FormsAuthentication Cookie Name
> string sCookieName = FormsAuthentication.FormsCookieName;
> // Retrieve Authentication Cookie
> HttpCookie oCookie = Context.Request.Cookies[sCookieName];
>
> // If cookie doesn't exist, exit function
> if (null == oCookie) return;
>
> // Create FormsAuthenticationTicket object
> FormsAuthenticationTicket oAuthTicket = null;
>
> try
> {
> // Retrieve FormsAuthenticationtTicket from encrypted cookie
> oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
> // Renew the ticket if it's expired
> if (oAuthTicket.Expired) oAuthTicket =
> FormsAuthentication.RenewTicketIfOld(oAuthTicket);
> }
> catch (Exception) { return; }
>
> // If FormsAuthenticationtTicket doesn't exist, exit function
> if (null == oAuthTicket) return;
>
> // Retrieve array of Group Names from FormsAuthenticationtTicket
> string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
>
> // Create a GenericIdentity Object
> GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
> "LDAPAuthentication");
> // Create a GenericPrincipal Object from the GenericIdentity and the
> Groups Array
> GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
> sGroupsArray);
>
> // Assign the current HTTP instance of the application to the
> GenericPrincipal object
> Context.User = oPrincipal;
>
> }
>
>

[George Durzi]

I thought I'd share the solution.

my colleague pointed out to me that there is a timeout attribute for
sessions that's set in the web.config. It's overriding everything else. I
had to scroll right to see it, that's why I was missing it!

"George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
news:%23o7l$vegDHA.3056@tk2msftngp13.phx.gbl...

> Does anyone know if there's another timeout setting that's maybe in IIS?
>
> I've set it in web.config, machine.config, and in my code when creating my
> cookie
>
> "George Durzi" <gdurzi@nospam_hotmail.com> wrote in message
> news:u2TNNRtfDHA.2664@TK2MSFTNGP11.phx.gbl...

> > hi all, I am totally stumped, and I need your help.
> > My authentication cookie (using FormsAuth against Active Directory) is
> > expiring way too often (like less than 20 minutes). I have it set to

> expire

> > in 8 hours. I'm not deploying anything to the site, so I'm not resetting

> the

> > application during that time.
> >
> > Here's all the code which deals with any authentication. Any feedback

> would

> > be GREATLY appreciated.
> >
> > in web.config
> > <authentication mode="Forms">
> > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="480"

path="/"

> > />
> > </authentication>
> >
> > User Login Function (References LDAPAuthentication class, unnecessary

for

> > this example)
> >
> > #region LoginUser
> > private void LoginUser()
> > {
> > // Retrieve LDAP Connect String and Domain Name
> > string sADPath =
> > ConfigurationSettings.AppSettings["LDAPConnectString"].ToString();
> > string sDomain =
> > ConfigurationSettings.AppSettings["DomainName"].ToString();
> >
> > // Instance of LdapAuthentication class
> > LDAPAuthentication oLdapAuth = new LDAPAuthentication(sADPath);
> >
> > try
> > {
> > if (true == oLdapAuth.IsAuthenticated(sDomain,

> txtUserName.Value.Trim(),

> > txtPassword.Value.Trim()))
> > {
> > // Retrieve a list of AD Groups the User is a Member of
> > string sGroups = oLdapAuth.GetGroups();
> >
> > // Create the User's FormsAuthenticationTicket
> > FormsAuthenticationTicket oAuthTicket = new
> > FormsAuthenticationTicket(1, txtUserName.Value.Trim(), DateTime.Now,
> > DateTime.Now.AddHours(8), true, sGroups);
> > // Encrypt the FormsAuthenticationTicket
> > string sTicket = FormsAuthentication.Encrypt(oAuthTicket);
> >
> > // Create the auth cookie for the User
> > HttpCookie oCookie = new
> > HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
> > oCookie.Expires = DateTime.Now.AddHours(8);
> >
> > // Add the cookie to the collection
> > Response.Cookies.Add(oCookie);
> >
> > // Redirect the User
> >
> >

>

Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Value.Trim(

> > ), false));
> > }
> > else
> > {
> > divLoginError.Visible = true;
> > lblLogin.Text = "* Sorry, you entered incorrect login credentials,
> > please try again. *";
> > }
> > }
> > catch (Exception ex)
> > {
> > throw (ex);
> > }
> > }
> > #endregion
> >
> > Then in my Application_AuthenticateRequest
> >
> > #region Application_AuthenticateRequest
> > protected void Application_AuthenticateRequest(Object sender,

EventArgs

> e)

> > {
> > // Retrieve FormsAuthentication Cookie Name
> > string sCookieName = FormsAuthentication.FormsCookieName;
> > // Retrieve Authentication Cookie
> > HttpCookie oCookie = Context.Request.Cookies[sCookieName];
> >
> > // If cookie doesn't exist, exit function
> > if (null == oCookie) return;
> >
> > // Create FormsAuthenticationTicket object
> > FormsAuthenticationTicket oAuthTicket = null;
> >
> > try
> > {
> > // Retrieve FormsAuthenticationtTicket from encrypted cookie
> > oAuthTicket = FormsAuthentication.Decrypt(oCookie.Value);
> > // Renew the ticket if it's expired
> > if (oAuthTicket.Expired) oAuthTicket =
> > FormsAuthentication.RenewTicketIfOld(oAuthTicket);
> > }
> > catch (Exception) { return; }
> >
> > // If FormsAuthenticationtTicket doesn't exist, exit function
> > if (null == oAuthTicket) return;
> >
> > // Retrieve array of Group Names from FormsAuthenticationtTicket
> > string[] sGroupsArray = oAuthTicket.UserData.Split(new char[]{'|'});
> >
> > // Create a GenericIdentity Object
> > GenericIdentity oIdentity = new GenericIdentity(oAuthTicket.Name,
> > "LDAPAuthentication");
> > // Create a GenericPrincipal Object from the GenericIdentity and the
> > Groups Array
> > GenericPrincipal oPrincipal = new GenericPrincipal(oIdentity,
> > sGroupsArray);
> >
> > // Assign the current HTTP instance of the application to the
> > GenericPrincipal object
> > Context.User = oPrincipal;
> >
> > }
> >
> >

>
>