A while ago I had a task of setting up an old ASP.NET 3.5 application on a shared hosting server and after I was done, the application worked as it should except for one important bit. The application used a Forms Authentication to authenticate users and after users logged in they were getting logging out and redirected to login page after a really short amount of time, usually only after a few minutes.
In this article I will show different ways I tried to locate this problem and how I finally managed to fix this issue.
web.config file seemed like the logical first step.
Checking timeout value in Web.config
The application used a Forms authentication, so first I located the forms element. I assumed the timeout attribute must have been set to some really low value. This is what I found:
<authentication mode="Forms"> <forms loginUrl="Login.aspx" timeout="60" cookieless="UseCookies" defaultUrl="./Default.aspx" /> </authentication>
So even though the
timeout attribute was set to 60 minutes, the authorization cookie expired prematurely after approx. 5 minutes.
Next I decided to check into the control panel of the shared hosting to see if I find something there or at least get some idea what was going on.
Checking the control panel in Shared Hosting
The shared hosting server was using Parallels Plesk Panel and under “ASP.NET Settings” Icon, I only found Authentication mode option and nothing else that seemed related to Authentication.
But there was another tool that caught my eye. It was “IIS Application Pool”:
Unfortunately, there was nothing to set up there. The only thing I found was maximum CPU usage data.
Nevertheless Application pool looked like something worth investigating further and in the end it provided me with a important clue to what was really happening.
Cause of the problem
It turns out that in shared hosting, Application pools can regularly be recycled. When recycling occurs, the ASP.NET will recreate a MachineKey if there isn’t one specified in
web.config. Machine key is used to generate Authentication ticket, so the newly recreated machinekey makes the current Authentication ticket invalid which causes users to logout.
The solution to that is to add a
<machinekey> section in the
web.config file which is shown next.
Adding machinekey to the web.config
Now that we know what needs to be added, the next question is how to generate the machinekey and where to put it in
Machinekey has two required attributes named
validationKey. Fortunately, there are quite a few online tools available for generating necessary machine key code, one such tool can be found at:
The generated code will look something like this:
<machineKey validationKey="9FF4EA8E411460F5770F…" decryptionKey="71492B24C…" validation="SHA1" decryption="AES"/>
All that remains is to copy that generated online
<machinekey> code inside
<system.web> element in
web.config and we are done.
If ASP.NET application is hosted in a shared environment, the authenticated users might time out prematurely, but this can be easily solved by adding machinekey section into the web.config file.