Search code examples
asp.net-mvc-3iis-7iis-7.5forms-authenticationsubdomain

reasons for being logged out before actual timeout in Forms Authentication

I have a asp.net MVC 3.0 website hosted on a subdomain of a main website . Asp.net version is set to .Net 4.0 integrated pipeLine .

the Forms Authentication settings is as below :

<authentication mode="Forms">
  <forms
          cookieless="UseCookies"
          defaultUrl="~/home"
          enableCrossAppRedirects="false"
          path="/"
          requireSSL="false"
          loginUrl="~/account/login"
          protection="All"
          timeout="120"
          slidingExpiration="true"
          name=".SubDomainAuthCookie"></forms>
</authentication>

but it logs me out just after few minutes each time ! the Host Admins say that is maybe because of improper coding or heavy tasks that cause the application pool to reset , but it's a simple mvc website with EF ORM . I can't figure out what to do ! what should I look for as possible cause of this situation ?

Update :

after checking Application_Start , I find that it's the problem , I logged Application_Start() and the result is whenever I'm being logged out , a log is added .

12/6/2012 12:14:03 PM ==> Application started
12/6/2012 12:16:35 PM ==> Application started
12/6/2012 12:22:59 PM ==> Application started

strange ,but real . there is nothing complicated or heavy in the logic ! Could EF be the problem , does it consume a lot of memory/CPU that cause application pool to reset ?

Solution
    • Check there's no other application using name=".SubDomainAuthCookie". These applications can overwrite their cookies.
    • Are you using FormsAuthentication.SetAuthCookie before calling FormsAuthentication.RedirectFromLoginPage in login page? If not, probably authentication cookies are not set properly.

    • Try to log Application_End of global.asax.cs to know if your app is recycling too much.

      protected void Application_End(object sender, EventArgs e) { /log the Application_End/ }

      As mentioned by @ZippyV in one of the answers below, the reason behind this is that IIS is by default set to automatically generate a pair of keys for decryption and validating authorization cookie contents (as well as other things) on each AppPool recycle called MachineKey. Also mentioned in this question

      When this key is changed, stored authorization cookie contents on all browsers is no longer readable and authorization is lost.

      The most simple remedy is to use a static MachineKey in your web.config

    • Also try to set the cookies to be the parent domain. more info here.