Form authentication slidingExpiration does not work

Question

I have below code

int intTimeout = (FormsAuthentication.Timeout.Hours * 60) +
  FormsAuthentication.Timeout.Minutes;
var authTicket = new FormsAuthenticationTicket(1, Utility.userCookie, DateTime.Now, 
  DateTime.Now.AddMinutes(intTimeout), true, cookieValue);

string strEncryptedTicket = HttpUtility.UrlEncode(FormsAuthentication.Encrypt(authTicket));
var authCookie = new HttpCookie(Utility.userCookie, strEncryptedTicket);
authCookie.Expires = authTicket.Expiration;
//FormsAuthentication.RedirectFromLoginPage("", false);
authCookie.Secure = FormsAuthentication.RequireSSL;
//authCookie.Secure = true;

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;
HttpContext.Current.Response.Cookies[Utility.userCookie].Value = authCookie.Value;

Below web.config

<authentication mode="Forms">
  <forms timeout="2" slidingExpiration="true" requireSSL="true" />
</authentication>

I keep hitting page link, still it expires in 2 minutes.

Answer 1

In my application, I define cookieAuthenticationOptions in Startup.cs like this and it works fine

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                ExpireTimeSpan = TimeSpan.FromHours(1),
                SlidingExpiration = true,
                CookieHttpOnly = true,
                CookieName = "App.Authentication",
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
            });

Do you define those options ?

Why you don't use the SignIn method of AuthenticationManager ?

Answer 2

Please pay attention to the structure of custom forms–based authentication in web.config:

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   protection="[All|None|Encryption|Validation]"
   timeout="[MM]"
   path="path"
   requireSSL="[true|false]"
   slidingExpiration="[true|false]">
   enableCrossAppRedirects="[true|false]"
   cookieless="[UseUri|UseCookies|AutoDetect|UseDeviceProfile]" 
   domain="domain name"
   ticketCompatibilityMode="[Framework20|Framework40]">
   <credentials>...</credentials>
</forms>

As you see, timeout property works based on minutes where you set it 2 (e.g. 2 minutes).

Generally, if you enable slidingExpiration in web.config. You have no need to regenerate a new cookie manually. For your scenario, I suggest you to use a trace tool e.g. Fiddler. When you refresh the page, you can check from Fiddler that whether the cookie expired time is reset.

I found a good example in Weird Timeouts With Custom ASPNETFormsAuthentication which can do some clearance for you.

Answer 3

Try to remove this line from your code and try again:

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;

Answer 4

In web.config file either remove <clear/> element or add following after <clear/> element if not present.

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>

Answer 5

Maybe the problem is related to lack of static machineKey section in the web.config file. when you call FormsAuthentication.Encrypt or FormsAuthentication.Decrypt, the methods use the machineKey values which is provided in the web.config file to perform the operation. if you do not provide strict values for machineKey, a new unique validationKey and decryptionKey would generate at the start point of the web application. sometimes depend on the server settings(for example small Idle-Time values for application pool settings), application is terminated before the expiration time of the FormsAuthenticationTicket. in this case because of the new machineKey values the Decrypt method can't validate the Ticket. I just recommend you to set a static machineKey.

see the following link: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx