I\'m using forms authentication in an ASP.NET application. I configure the FormsAuthenticationTicket
to expire in 1 year but it actually expires after 1 hour or so.
I don't see anything wrong with the code. What browser are you using, perhaps it doesn't recognize the expiration date of 1 year? I would look at the response headers with fiddler or some such tool and see what's actually being sent.
This is your problem.
<machineKey validationKey="AutoGenerate"
decryptionKey="AutoGenerate"
validation="SHA1"/>
ASP will generate a new machine key every time the app pool recycles. Which could reasonably happen every hour.
The machine key is used to encrypt and decrypt your FormsAuthentication cookie. If it changes, the cookie on your browser is no longer any good. So the system will treat you as if you have never logged on.
Try generating a static key and adding it to the configuration file. Should look something like this:
<machineKey
validationKey="21F090935F6E49C2C797F69(snip)F1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D(snip)B8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>
Generate yourself a key here.
This might help http://support.microsoft.com/kb/910439/
My guess is that the cookie is expiring before the ticket. The above article shows you ways to debug to see if that is indeed the case.
The only thing that I can see that is non-standard is that you are passing id.ToString() to the FormsAuthenticationTicket constructor. I usually pass the username in this parameter. Not sure whether this will make a difference, but worth a try.
Are you using anything else in your application that might cause a timeout? Automatically logging you out if in-proc session states expire for example.
I assume you've got some code in your Global.asax to process the authenticated request too?