ASP.NET : How to solve logging out before timeout expires problem

asp-net-forms-authentication-timeout-expire-problem-thumb

A while ago I had the task of setting up an old ASP.NET 3.5 application on a shared hosting server and after I was done, the application worked as it should except for one important bit. The application used a Forms Authentication to authenticate users and after users logged in they were getting logging out and redirected to the login page after a really short amount of time, usually only after a few minutes.
In this article, I will show different ways I tried to locate this problem and how I finally managed to fix this issue.

Checking the web.config file seemed like the logical first step.

Checking timeout value in Web.config

The application used a Forms authentication, so first I located the forms element. I assumed the timeout attribute must have been set to some really low value. This is what I found:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="60" cookieless="UseCookies" defaultUrl="./Default.aspx" />
</authentication>

So even though the timeout attribute was set to 60 minutes, the authorization cookie expired prematurely after approx. 5 minutes.

Next, I decided to check into the control panel of the shared hosting to see if I find something there or at least get some idea of what was going on.

Checking the control panel in Shared Hosting

The shared hosting server was using Parallels Plesk Panel and under the “ASP.NET Settings” Icon, I only found the Authentication mode option and nothing else that seemed related to Authentication.
Parallels Plesk panel asp.net settings

But there was another tool that caught my eye. It was “IIS Application Pool”:
Parallels Plesk IIS Application Pool settings

Unfortunately, there was nothing to set up there. The only thing I found was maximum CPU usage data.
Parallels Plesk IIS Application Pool maximum CPU usage data
Nevertheless, the Application pool looked like something worth investigating further and in the end, it provided me with an important clue to what was really happening.

Cause of the problem

It turns out that in shared hosting, Application pools can regularly be recycled. When recycling occurs, the ASP.NET will recreate a MachineKey if there isn’t one specified in web.config. Machine key is used to generate Authentication ticket, so the newly recreated machinekey makes the current Authentication ticket invalid which causes users to logout.

The solution to that is to add a <machinekey> section in the web.config file which is shown next.

Adding machinekey to the web.config

Now that we know what needs to be added, the next question is how to generate the machinekey and where to put it in web.config.

Machinekey has two required attributes named decryptionKey and validationKey. Fortunately, there are quite a few online tools available for generating necessary machine key code, one such tool can be found at:

http://www.developerfusion.com/tools/generatemachinekey/

The generated code will look something like this:

<machineKey validationKey="9FF4EA8E411460F5770F…" decryptionKey="71492B24C…" validation="SHA1" decryption="AES"/>

All that remains is to copy that generated online <machinekey> code inside <system.web> element in web.config and we are done.

Note:In the example above, the values for validationKey and decryptionKey has been shortened for readability. Do not copy the above code, use online tool instead!

Conclusion

If the ASP.NET application is hosted in a shared environment, the authenticated users might time out prematurely, but this can be easily solved by adding machinekey section into the web.config file.

Tags:

6 Comments

Click HERE to add your Comment
  1. Deep Shah
    March 7, 2016
  2. serdar
    May 17, 2017
  3. Huy Truong
    May 31, 2017
  4. Samit
    June 30, 2017
  5. Mudi
    February 24, 2019
  6. Srikanth
    April 28, 2020

Write a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.