问题
how to turn off forms authentication in asp.net mvc.I have register,logon and forgotpassword page designed to enter into the webapplication. Initially i
I currently host my asp.net mvc web application as single codebase and multipledatabase format.I face forms getting expired at some period of time and logon.aspx page appears in the middle on the homepage. I figured out this is because of the following code:
webconfig:
<authentication mode="Forms"><forms timeout="180000" slidingExpiration="false"/></authentication>
logon.cshtml:
FormsAuthentication.SetAuthCookie(user.UserName, false);
return RedirectToAction("Index", "Home");
I dont want my users session or forms to expire until they logout. How to remove the authentication mode or how to solve this timeout issue? Please help.
Here is my full webconfig code:
<system.web>
<customErrors mode="Off" />
<globalization uiCulture="en-AU" culture="en-AU" />
<!--<sessionState mode="InProc" />-->
<sessionState timeout="1500"></sessionState>
<httpRuntime encoderType="AntiXssEncoder, OnlineAB" />
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<authentication mode="Forms">
<forms timeout="180000" slidingExpiration="false"/>
</authentication>
<membership>
<!--<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>-->
</membership>
<profile>
<!--<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>-->
</profile>
<!--<roleManager enabled="false">
<providers>
<clear />
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>-->
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
</system.web>
回答1:
As per MSDN:
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
remove this property from config
<authentication mode="Forms">
<forms timeout="180000" slidingExpiration="false"/>
</authentication>
and replace with:
<authentication mode="Forms" />
also increase session timeout or remove for default:
remove this:
<sessionState timeout="1500"></sessionState>
回答2:
I know that the question is old, but I resolved it by adding a machine key to the web.config
You can generate a machinekey for the .NET version that you use and add it in the web.config after the authentication section like the attached image.
来源:https://stackoverflow.com/questions/20559946/forms-timeout-issue-in-asp-net-mvc