0

I have been creating a web project where I am using forms authentication using cookies to validate if the user is authentication.

Everything works fine, but when I host this on shared hosting, then the session expired after 5 minutes of inactivity. I have set the timeout in the config to 60 minutes.

<authentication mode="Forms">
            <forms name=".auth" protection="All" timeout="60"/>
        </authentication>

While Login, I have created a API called login where I am setting the authentication.

FormsAuthentication.SetAuthCookie(".auth", false);

And I check if the user is authenticated in the web API and my API looks like.

    [Authorize]
    [RoutePrefix("api/value")]
    public class ValueController : ApiController
    {
        // GET api/value
        [Route("get")]
        public IEnumerable<string> Get()
        {
            return new string[] { "value1", "value2" };
        }

    }

I do know that this is a very old/bad approach to validate through cookie but this is my legacy application and I can't change the authentication structure and use Owin.

Can anybody suggest why does it expires after 5 minutes of inactivity on shared hosting ? It does works properly on my local IIS and doesn't expires till 60 minutes.

Help is appriciated.

Moiz
  • 2,409
  • 5
  • 27
  • 50
  • App pools have an idle time out in addition to the website session timeout. The default for this is 20 mins. This is not controlled by the web.config and you need to change it in your iis settings. – rdans Mar 18 '15 at 09:32
  • but there is no option to select on my shared hosting. the provider does not allow us to change that. (Go Daddy) – Moiz Mar 18 '15 at 09:39
  • You probably wont be able to increase it then. This post seems to confirm that the godaddy idle timeout is 5 minutes: http://www.codeproject.com/Questions/868986/Validation-of-viewstate-MAC-failed - Your could open a support ticket with godaddy to ask, otherwise you could either change your hosting or create some kind of auto web requester to keep the site alive – rdans Mar 18 '15 at 09:56
  • okay. I will contact godaddy – Moiz Mar 18 '15 at 10:36
  • @Moiz I know this is an old post - but did you get any traction with GoDaddy? The idle timeout on the shared hosting (set at 5 minutes) kills my performance, since there is only about 8 users (quick family site for christmas gifts), so every time they hit the site the app pool is getting restarted and it takes forever. – ragerory Nov 11 '15 at 16:38
  • please view my answer. – Moiz Nov 12 '15 at 12:13

1 Answers1

0

The reason is the hosting provider clears the session and the solution is to add the machineKey in web.config.

<system.web>
    <machineKey decryption="AES" decryptionKey="ddE3434J4K3J3KLNDFPSODIFSFLKJW34L3OIUF" validation="HMACSHA256" validationKey="07dfdDUIEJSLDJFKLSJFEIOUR3989F8SDF90DF9D0F9DF9SD0F90SDF09SD0F9DF" />
</system.web>

(Please note this is a sample key. You have to generate a key and add to your config)

Moiz
  • 2,409
  • 5
  • 27
  • 50
  • I called godaddy to see if i can get a machine key generated by them for seperate issue: http://stackoverflow.com/questions/42319225/hosted-webapi-application-always-prompt-login. They are saying our subscriptions is under "shared" server, they cannot provide a machine key. A private server is needed. – jmogera Feb 28 '17 at 22:23