1

I have a single-page-application in MVC4 (.NET) website. Some of the methods has permissions to specific roles.

When a user log in to the system (with cookies) 

 FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

everything works fine, but if the user leaves the website open and comes back after a while (at least 30 minutes I thinks) without refreshing (It's a single page application so refresh is not needed) and then tries to do something in the website - the user gets an error

"Authorization has been denied for this request."

After a refresh (F5) - everything goes back to normal.

I guess maybe the session is over or something like that. How can I fix it?

In my web.config I have these lines:

  <authentication mode="Forms">
      <forms loginUrl="~/" timeout="2880"  slidingExpiration="true" cookieless="UseCookies" />
    </authentication>
TamarG
  • 3,522
  • 12
  • 44
  • 74
  • By default the timeout is 30 minutes and its true in your case. You can either increase the timeout or look for other solution apart from form authentication. Leave the cookie in local storage and somewhere. While making request ( I believe you are using client side ajax) then you can append the cookie – qamar Jan 21 '15 at 05:15
  • Indeed I use client side ajax. How can I increase 30 minutes? And do you have a tutorial to your second suggestion? – TamarG Jan 21 '15 at 05:18
  • Sorry I wrote the answer too quickly. For second option I will come up with something when I have a bit of spare time – qamar Jan 21 '15 at 05:21

2 Answers2

1

Your FormAuthentication timeout 48 hours is more than enough.

The problem is SessionState timeout; by default it expires in 20 minutes.

You have two options -

  1. Increase SessionState timeout. FYI: If you increase too large, it'll becomes security hole.

For example, add sessionState tag in web.config (480 = 8 hours). 

<sessionState timeout="480" />

OR

  1. Create a counter at client side. If a page idles for 19 minutes, ping to server. Basically, you need to a request to server before sessionState timeout.

For example, Create a dummy controller like this and call via ajax -

public partial class PingController : Controller
{
    public ActionResult Index()
    {
        return Content("Ping!");
    }
}
Win
  • 61,100
  • 13
  • 102
  • 181
  • How can I do 1 and 2? What do you mean ping to server? just create and ajax that does--what? and how to increase session timeout? – TamarG Jan 21 '15 at 05:38
  • Thanks! I'll try both. About the second answer - all I have to do is send a request to the server, no matter what? just connect the server? – TamarG Jan 21 '15 at 05:56
  • 1
    Yes, just send a dummy request to a server via Ajax before session expire. Then server will extend the session timeout. – Win Jan 21 '15 at 14:52
  • Now I have a different problem... I opened a new question about it http://stackoverflow.com/questions/28134459/cookies-and-sessions-expiration-in-net – TamarG Jan 25 '15 at 08:08
0

You can increase timeout value in web configuration, in form authentication section as you have pasted above. 

 <authentication mode="Forms">
  <forms loginUrl="~/" timeout="50000000"  slidingExpiration="true" cookieless="UseCookies" />
</authentication>
qamar
  • 1,437
  • 1
  • 9
  • 12
  • Now it's 'timeout="2880" ' which is 48 hours, but it happens a lot before 48 hours passed so I don't see how changing authentication timeout can help. – TamarG Jan 21 '15 at 05:22