表单身份验证slidingExpiration不起作用

Question

I have below code

int intTimeout = (FormsAuthentication.Timeout.Hours * 60) +
  FormsAuthentication.Timeout.Minutes;
var authTicket = new FormsAuthenticationTicket(1, Utility.userCookie, DateTime.Now, 
  DateTime.Now.AddMinutes(intTimeout), true, cookieValue);

string strEncryptedTicket = HttpUtility.UrlEncode(FormsAuthentication.Encrypt(authTicket));
var authCookie = new HttpCookie(Utility.userCookie, strEncryptedTicket);
authCookie.Expires = authTicket.Expiration;
//FormsAuthentication.RedirectFromLoginPage("", false);
authCookie.Secure = FormsAuthentication.RequireSSL;
//authCookie.Secure = true;

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;
HttpContext.Current.Response.Cookies[Utility.userCookie].Value = authCookie.Value;

Below web.config

<authentication mode="Forms">
  <forms timeout="2" slidingExpiration="true" requireSSL="true" />
</authentication>

I keep hitting page link, still it expires in 2 minutes .

Answer 1

Please pay attention to the structure of custom forms–based authentication in web.config :

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   protection="[All|None|Encryption|Validation]"
   timeout="[MM]"
   path="path"
   requireSSL="[true|false]"
   slidingExpiration="[true|false]">
   enableCrossAppRedirects="[true|false]"
   cookieless="[UseUri|UseCookies|AutoDetect|UseDeviceProfile]" 
   domain="domain name"
   ticketCompatibilityMode="[Framework20|Framework40]">
   <credentials>...</credentials>
</forms>

As you see, timeout property works based on minutes where you set it 2 (eg 2 minutes).

Generally, if you enable slidingExpiration in web.config . You have no need to regenerate a new cookie manually . For your scenario, I suggest you to use a trace tool eg Fiddler. When you refresh the page, you can check from Fiddler that whether the cookie expired time is reset.

I found a good example in Weird Timeouts With Custom ASPNETFormsAuthentication which can do some clearance for you.

Answer 2

尝试从代码中删除此行，然后重试：

HttpContext.Current.Response.Cookies[Utility.userCookie].Expires = authTicket.Expiration;

Answer 3

在web.config文件中，删除<clear/>元素或在<clear/>元素后添加以下内容（如果不存在）。

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>

Answer 4

Maybe the problem is related to lack of static machineKey section in the web.config file. when you call FormsAuthentication.Encrypt or FormsAuthentication.Decrypt , the methods use the machineKey values which is provided in the web.config file to perform the operation. if you do not provide strict values for machineKey, a new unique validationKey and decryptionKey would generate at the start point of the web application. sometimes depend on the server settings(for example small Idle-Time values for application pool settings), application is terminated before the expiration time of the FormsAuthenticationTicket . in this case because of the new machineKey values the Decrypt method can't validate the Ticket. I just recommend you to set a static machineKey.

see the following link: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

Answer 5

In my application, I define cookieAuthenticationOptions in Startup.cs like this and it works fine

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                ExpireTimeSpan = TimeSpan.FromHours(1),
                SlidingExpiration = true,
                CookieHttpOnly = true,
                CookieName = "App.Authentication",
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
            });

Do you define those options ?

Why you don't use the SignIn method of AuthenticationManager ?