(Updated / Solved) Session Timeout in ASPX Application Using Shared Hosting

After scouring Google and the internet for possible solutions to authenticated users getting logged out in 5 minutes of my web application I finally came up with a solution that works.

Background-
After a user logs into the website, and leaves the browser up, idle, after 5-10 minutes when they would return to do something on the site, they were presented with the login prompt to re-authenticate. What we wanted to do is give the user more time before they would have to login again.

(advertisement)

Problem-
The website is not hosted on our servers, but, through Godaddy.com in shared hosting and even though we have control of how the web applications settings are configured (via web.config) we can’t control the physical server settings. In the examples I found they did modify authentication timeout as well as session timeout via the web.config, but, the actually settings never took effect, users were still timing out. Even contacting Godaddy.com support didn’t product any positive results, they said “You control that in your web.config, there isn’t anything on our servers that would affect you”. As a web host I know that isn’t true, the application pool has settings specific to idle time, and defaults to 20 minutes and that is a server setting that I cannot change in the shared environment. But, I must find a solution, so here is what I tried and it worked!

Solution-
After several days of trying different methods, this is what I did. I kept my web.config with my new timeout settings (even though they didn’t produce results I just thought I would leave them. Plus, they would be useful if I move the site to my servers). Here they are:

<system.web>
	<authentication mode="Forms">
		<forms timeout="90" name=".ASPXAUTH"/>
	</authentication>
	<sessionState mode="InProc" cookieless="false" timeout="90"/>
</system.web>

(advertisement)

But, what really did the magic was creating my own authentication ticket. I added this code in the login controls “LoggingIn” event, and it did the trick. Here's the VB.Net version:

 Protected Sub Login1_LoggingIn(sender As Object, e As LoginCancelEventArgs) Handles Login1.LoggingIn
        If Membership.ValidateUser(Login1.UserName, Login1.Password) Then
            ' ticket version
            ' authenticated username
            ' issueDate
            ' expiryDate
            ' true to persist across browser sessions
            ' can be used to store additional user data
            Dim ticket As New FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(90), True, "", FormsAuthentication.FormsCookiePath)
            ' the path for the cookie
            ' Encrypt the ticket using the machine key
            Dim encryptedTicket As String = FormsAuthentication.Encrypt(ticket)
            ' Add the cookie to the request to save it
            Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
            cookie.HttpOnly = True
            Response.Cookies.Add(cookie)
        End If
    End Sub

Here's the C# version:

if (Membership.ValidateUser(Login1.UserName, Login1.Password)) {
	// ticket version
	// authenticated username
	// issueDate
	// expiryDate
	// true to persist across browser sessions
	// can be used to store additional user data
	FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(90), true, "", FormsAuthentication.FormsCookiePath);
	// the path for the cookie
	// Encrypt the ticket using the machine key
	string encryptedTicket = FormsAuthentication.Encrypt(ticket);
	// Add the cookie to the request to save it
	HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
	cookie.HttpOnly = true;
	Response.Cookies.Add(cookie);
}

I must say after looking and looking for a solution, and coming up with this one, it was rewarding, and proves we once again live up to our motto "You'll never hear "That can't be done!".

Call us to get your IT stuff working the way YOU want it!

Update! Update! Update! Update! Update!

Not too long after I posted this and with more testing the session timeouts continued. I gave up after the long hours not finding a solution and left a post on the asp.net website and got a reply that would actually fix the timeout problem, the web.config file only needs one little modification from above, here's the updated code:

<system.web>
	<authentication mode="Forms">
		<forms timeout="90" name=".ASPXAUTH"/>
	</authentication>
	<sessionState mode="InProc" cookieless="false" timeout="90"/>
  <machineKey validationKey="8A64..." decryptionKey="02F24..." validation="SHA1" decryption="AES"/>
</system.web>

To generate your own machine key for the web.config see http://aspnetresources.com/tools/machineKey 
Note: Site will generate the entire line to insert (not just the keys). Also, you can forget about generating your own authentication ticket, using this method eliminates that.

For a description of why this works see my original question at asp.net here.

Cheers!!