A while ago I had the task of setting up an old ASP.NET 3.5 application on a shared hosting server and after I was done, the application worked as it should except for one important bit. The application used a Forms Authentication to authenticate users and after users logged in they were getting logging out and redirected to the login page after a really short amount of time, usually only after a few minutes.
In this article, I will show different ways I tried to locate this problem and how I finally managed to fix this issue.
Checking the web.config
file seemed like the logical first step.
Table of Contents
Checking timeout value in Web.config
The application used a Forms authentication, so first I located the forms element. I assumed the timeout attribute must have been set to some really low value. This is what I found:
So even though the timeout
attribute was set to 60 minutes, the authorization cookie expired prematurely after approx. 5 minutes.
Next, I decided to check into the control panel of the shared hosting to see if I find something there or at least get some idea of what was going on.
Checking the control panel in Shared Hosting
The shared hosting server was using Parallels Plesk Panel and under the “ASP.NET Settings” Icon, I only found the Authentication mode option and nothing else that seemed related to Authentication.
But there was another tool that caught my eye. It was “IIS Application Pool”:
Unfortunately, there was nothing to set up there. The only thing I found was maximum CPU usage data.
Nevertheless, the Application pool looked like something worth investigating further and in the end, it provided me with an important clue to what was really happening.
Cause of the problem
It turns out that in shared hosting, Application pools can regularly be recycled. When recycling occurs, the ASP.NET will recreate a MachineKey if there isn’t one specified in web.config
. Machine key is used to generate Authentication ticket, so the newly recreated machinekey makes the current Authentication ticket invalid which causes users to logout.
The solution to that is to add a <machinekey>
section in the web.config
file which is shown next.
Adding machinekey to the web.config
Now that we know what needs to be added, the next question is how to generate the machinekey and where to put it in web.config
.
Machinekey has two required attributes named decryptionKey
and validationKey
. Fortunately, there are quite a few online tools available for generating necessary machine key code, one such tool can be found at:
http://www.developerfusion.com/tools/generatemachinekey/
The generated code will look something like this:
All that remains is to copy that generated online <machinekey>
code inside <system.web>
element in web.config
and we are done.
Conclusion
If the ASP.NET application is hosted in a shared environment, the authenticated users might time out prematurely, but this can be easily solved by adding machinekey section into the web.config
file.
Deep Shah
March 7, 2016Thanks a ton. This saved me hours of grief.
serdar
May 17, 2017Very very clear,
thank you so much.
Huy Truong
May 31, 2017Excellent! It took me a long time to find the answer to this problem. Thank you so much!
Samit
June 30, 2017Thanks Buddy !!!! it Worked.... 🙂
Mudi
February 24, 2019Was lost as to what the problem was before finding this solution. Thank you.
Srikanth
April 28, 2020Nice one.