I have implemented security for my web api (individual accounts) as discussed here.
I have hosted the website on godaddy (shared hosting) and its working fine. When I ask for token by using url "domain.com/token", I get the token with expiration date of within 15 days. I have set this in "StartupAuth.cs" using
AccessTokenExpireTimeSpan = TimeSpan.FromDays(15)
e.g.:
{
"access_token":"qwertyuiop.....",
"token_type":"bearer",
"expires_in":1209599,
"userName":"user@example.com",
".issued":"Wed, 11 Feb 2015 01:00:00 GMT",
".expires":"Thu, 26 Feb 2015 01:00:00 GMT"
}
(I put values in above code, but you get the idea of the ".expires" field.
5 minutes after getting the token, when I try and access "get" or "post" or any method in my API by passing authorization: bearer token in header as:
Authorization: Bearer qwertyuiop.....
I get this error:
{"Message":"Authorization has been denied for this request."}
Although its just been 5 minutes and token is supposed to last 15 days, it expires within 5 minutes. When I request any method "get"/"post" within interval of 5 minutes, I get the proper response with my data in JSON. In short, authorization succeeds.
I have repeated this behavior by testing it via Fiddler, REST plugin of Chrome and via the mobile app which uses the API.
I have web.config values for session as below (I thought its related)
<sessionState timeout="180" />
Note that forms authentication is not used, so timeout on that section in web.config is not necessary.
Any idea what's going on? This timeout is causing the users of mobile apps which use the API to re-login every now and then. Any help would be appreciated.
Thanks.
Check the WebServer, In IIS the Machine Key can be set at the application level, every time the app pool recycles a new Machine Key is generated hence you need a new token. You can set the Machine key on the Website level or Root Server Level. Maybe this might help
Add to web.config not to be affected by app pool recycling
<system.web>
<machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="261F793EB53B761503AC445E0CA28DA44AA9B3CF06263B77"
validation="SHA1"/>
Read here how to generate https://support.microsoft.com/en-us/kb/312906
Try setting Idle Time-out (minutes) to more than 5 minutes.You can found this option under
iis application pool->advanced settings
来源:https://stackoverflow.com/questions/28480848/asp-net-web-api-authorization-tokens-expiring-early