A Reminder: Login using Google, Facebook, LinkedIn or Microsoft

Many websites are offering alternative login methods. This is important since internet security must be our 110% focus these days. Why use them? Google, Facebook, LinkedIn and Microsoft all offer 2-factor authentication meaning that if someone guesses, steals or cracks your password then they still can't get in to your account without the second piece of authentication (e.g. SMS).

It also helps you from remembering all those individual passwords. I created a document and put all my password and sites on that, and I'm not so trusting of password software to depend on recording those. We have to face the fact that unless we unplug our computers from the internet we're at one time or another going to be a victim.

Using multi-part authentication is a start and many of the newer programming languages offer the developer to use those technologies right out of the box. On the technical side, authentication tokens are passed back to the asking website from the 3rd party sites (Google, Facebook, LinkedIn, and Microsoft), with a pass or fail, so no important login information is kept and in most cases you define what you want to share with the new site.

Thanks for reading. Remember if you live in the Dallas, Fort Worth area now through the end of 2015 we offer a complete virus removal and system clean up for only $75.00 per computer. Call today 972-571-4808.


(Updated / Solved) Session Timeout in ASPX Application Using Shared Hosting

After scouring Google and the internet for possible solutions to authenticated users getting logged out in 5 minutes of my web application I finally came up with a solution that works.

After a user logs into the website, and leaves the browser up, idle, after 5-10 minutes when they would return to do something on the site, they were presented with the login prompt to re-authenticate. What we wanted to do is give the user more time before they would have to login again.


The website is not hosted on our servers, but, through Godaddy.com in shared hosting and even though we have control of how the web applications settings are configured (via web.config) we can’t control the physical server settings. In the examples I found they did modify authentication timeout as well as session timeout via the web.config, but, the actually settings never took effect, users were still timing out. Even contacting Godaddy.com support didn’t product any positive results, they said “You control that in your web.config, there isn’t anything on our servers that would affect you”. As a web host I know that isn’t true, the application pool has settings specific to idle time, and defaults to 20 minutes and that is a server setting that I cannot change in the shared environment. But, I must find a solution, so here is what I tried and it worked!

After several days of trying different methods, this is what I did. I kept my web.config with my new timeout settings (even though they didn’t produce results I just thought I would leave them. Plus, they would be useful if I move the site to my servers). Here they are:

	<authentication mode="Forms">
		<forms timeout="90" name=".ASPXAUTH"/>
	<sessionState mode="InProc" cookieless="false" timeout="90"/>


But, what really did the magic was creating my own authentication ticket. I added this code in the login controls “LoggingIn” event, and it did the trick. Here's the VB.Net version:

 Protected Sub Login1_LoggingIn(sender As Object, e As LoginCancelEventArgs) Handles Login1.LoggingIn
        If Membership.ValidateUser(Login1.UserName, Login1.Password) Then
            ' ticket version
            ' authenticated username
            ' issueDate
            ' expiryDate
            ' true to persist across browser sessions
            ' can be used to store additional user data
            Dim ticket As New FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(90), True, "", FormsAuthentication.FormsCookiePath)
            ' the path for the cookie
            ' Encrypt the ticket using the machine key
            Dim encryptedTicket As String = FormsAuthentication.Encrypt(ticket)
            ' Add the cookie to the request to save it
            Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
            cookie.HttpOnly = True
        End If
    End Sub

Here's the C# version:

if (Membership.ValidateUser(Login1.UserName, Login1.Password)) {
	// ticket version
	// authenticated username
	// issueDate
	// expiryDate
	// true to persist across browser sessions
	// can be used to store additional user data
	FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddMinutes(90), true, "", FormsAuthentication.FormsCookiePath);
	// the path for the cookie
	// Encrypt the ticket using the machine key
	string encryptedTicket = FormsAuthentication.Encrypt(ticket);
	// Add the cookie to the request to save it
	HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
	cookie.HttpOnly = true;

I must say after looking and looking for a solution, and coming up with this one, it was rewarding, and proves we once again live up to our motto "You'll never hear "That can't be done!".

Call us to get your IT stuff working the way YOU want it!

Update! Update! Update! Update! Update!

Not too long after I posted this and with more testing the session timeouts continued. I gave up after the long hours not finding a solution and left a post on the asp.net website and got a reply that would actually fix the timeout problem, the web.config file only needs one little modification from above, here's the updated code:

	<authentication mode="Forms">
		<forms timeout="90" name=".ASPXAUTH"/>
	<sessionState mode="InProc" cookieless="false" timeout="90"/>
  <machineKey validationKey="8A64..." decryptionKey="02F24..." validation="SHA1" decryption="AES"/>

To generate your own machine key for the web.config see http://aspnetresources.com/tools/machineKey 
Note: Site will generate the entire line to insert (not just the keys). Also, you can forget about generating your own authentication ticket, using this method eliminates that.

For a description of why this works see my original question at asp.net here.