Home/ Questions/Q 3665784
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T01:48:09+00:00

I have a Asp Mvc 2 site using forms authentication. When I run it

  • 0

I have a Asp Mvc 2 site using forms authentication. When I run it locally I can log in and stay logged in indefinitely.

However when I put it on the server I seem to only stay logged in for a few minutes and then seems to be logged out. I have looked at the cookies and there are 2 which seem relevant:

.ASPXAUTH which is a session cookie
.ASPXANONYMOUS which expires in 3 months.

When I refresh the page the cookies stay the same until I get logged out, when I seem to get a new .ASPXANONYMOUS cookie, but the .ASPXAUTH seems to be the same.

It seems that I might be able to stay logged in until I do something after a certain amount of time. If I submit a form as soon as I am logged in then it works ok, but if I keep submitting data again and again then after a minute or so, one of the submits will happen as a logged out user and not as the user who was logged in, which all the other submits worked as.

What might cause this behaviour and how can I track down what is different & change it so that I can stay logged in indefinitely?

EDIT,

its a single server, but after some more investigation and searching the likely candidate seems to be that I am using more than 100mb on the server and the application pool is getting recycled. I suppose now i need to know

  • How can I check how much memory I’m using.
  • What advice there is to reduce that.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Could it be that the ASP.NET application is being re-cycled or shutdown (e.g. due to idle timeout, or newly built/changed assemblies)?

    When an ASP.NET web application starts up it will, by default, generate encryption keys for view state and session cookies. This will invalidate any such data originally served from an earlier run of the application (or from a different system).

    To have sessions survive ASP.NET application cycles (and multi-server farms) you can specify the keys in your web.config:

    <system.web>
  ...
  <machineKey
    decryption="AES"
    validation="SHA1"
    decryptionKey="..."
    validationKey="..."
  />

    where decryptionKey and validationKey are hex strings of length depending on the algorithm (with AES: 64 digits and SHA1: 128, for other algorithms check MSDN).

    These keys should be cryptographically generated, and .NET has the types to do this which can be used from PowerShell:

    $rng = New-Object "System.Security.Cryptography.RNGCryptoServiceProvider"
$bytes = [Array]::CreateInstance([byte], 16)
$rng.GetBytes($bytes)
$bytes | ForEach-Object -begin { $s = "" } -process { $s = $s + ("{0:X2}" -f $_) } -end { $s}

    For AES use the above array length, for SHA1 use a length of 64.

    • 0