ASP.NET : How to solve logging out before timeout expires problem


A while ago I had a task of setting up an old ASP.NET 3.5 application on a shared hosting server and after I was done, the application worked as it should except for one important bit. The application used a Forms Authentication to authenticate users and after users logged in they were getting logging out and redirected to login page after a really short amount of time, usually only after a few minutes.
In this article I will show different ways I tried to locate this problem and how I finally managed to fix this issue.

Checking the web.config file seemed like the logical first step.

Checking timeout value in Web.config

The application used a Forms authentication, so first I located the forms element. I assumed the timeout attribute must have been set to some really low value. This is what I found:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="60" cookieless="UseCookies" defaultUrl="./Default.aspx" />

So even though the timeout attribute was set to 60 minutes, the authorization cookie expired prematurely after approx. 5 minutes.

Next I decided to check into the control panel of the shared hosting to see if I find something there or at least get some idea what was going on.

Checking the control panel in Shared Hosting

The shared hosting server was using Parallels Plesk Panel and under “ASP.NET Settings” Icon, I only found Authentication mode option and nothing else that seemed related to Authentication.
Parallels Plesk panel settings

But there was another tool that caught my eye. It was “IIS Application Pool”:
Parallels Plesk IIS Application Pool settings

Unfortunately, there was nothing to set up there. The only thing I found was maximum CPU usage data.
Parallels Plesk IIS Application Pool maximum CPU usage data
Nevertheless Application pool looked like something worth investigating further and in the end it provided me with a important clue to what was really happening.

Cause of the problem

It turns out that in shared hosting, Application pools can regularly be recycled. When recycling occurs, the ASP.NET will recreate a MachineKey if there isn’t one specified in web.config. Machine key is used to generate Authentication ticket, so the newly recreated machinekey makes the current Authentication ticket invalid which causes users to logout.

The solution to that is to add a <machinekey> section in the web.config file which is shown next.

Adding machinekey to the web.config

Now that we know what needs to be added, the next question is how to generate the machinekey and where to put it in web.config.

Machinekey has two required attributes named decryptionKey and validationKey. Fortunately, there are quite a few online tools available for generating necessary machine key code, one such tool can be found at:

The generated code will look something like this:

<machineKey validationKey="9FF4EA8E411460F5770F…" decryptionKey="71492B24C…" validation="SHA1" decryption="AES"/>

All that remains is to copy that generated online <machinekey> code inside <system.web> element in web.config and we are done.

Note:In the example above, the values for validationKey and decryptionKey has been shortened for readability. Do not copy the above code, use online tool instead!


If ASP.NET application is hosted in a shared environment, the authenticated users might time out prematurely, but this can be easily solved by adding machinekey section into the web.config file.


Share this page


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top