5

how to turn off forms authentication in asp.net mvc.I have register,logon and forgotpassword page designed to enter into the webapplication. Initially i

I currently host my asp.net mvc web application as single codebase and multipledatabase format.I face forms getting expired at some period of time and logon.aspx page appears in the middle on the homepage. I figured out this is because of the following code:

webconfig:
<authentication mode="Forms"><forms timeout="180000" slidingExpiration="false"/></authentication>

logon.cshtml:
  FormsAuthentication.SetAuthCookie(user.UserName, false);
 return RedirectToAction("Index", "Home");

I dont want my users session or forms to expire until they logout. How to remove the authentication mode or how to solve this timeout issue? Please help.

Here is my full webconfig code:

<system.web>
    <customErrors mode="Off" />
    <globalization uiCulture="en-AU" culture="en-AU" />
    <!--<sessionState mode="InProc" />-->
    <sessionState timeout="1500"></sessionState>
    <httpRuntime encoderType="AntiXssEncoder, OnlineAB" />
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </assemblies>
    </compilation>
    <authentication mode="Forms">
      <forms timeout="180000" slidingExpiration="false"/>

    </authentication>
    <membership>
      <!--<providers>
        <clear />
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
      </providers>-->
    </membership>
    <profile>
      <!--<providers>
        <clear />
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
      </providers>-->
    </profile>
    <!--<roleManager enabled="false">
      <providers>
        <clear />
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
      </providers>
    </roleManager>-->
    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers" />
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Routing" />
        <add namespace="System.Web.WebPages" />
      </namespaces>
    </pages>
  </system.web>
Improve this question

2 Answers 2

Reset to default
2

As per MSDN:

Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.

remove this property from config

<authentication mode="Forms">
  <forms timeout="180000" slidingExpiration="false"/>
</authentication>

and replace with:

<authentication mode="Forms" />

also increase session timeout or remove for default:

remove this:

<sessionState timeout="1500"></sessionState>
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thankyou Zaheer Ahmed for replying :) When I remove it, After i host the application online, i couldnt login to the homepage,It opens another popup saying "Authentication required".
I tried this one too, it does not stop redirecting to logon.aspx after some period of time :(
try removing session timeout u defined very short time
I removed. :)I'm checking now with the application. what i understood is 1500 is 25 hours indicating the session duration for timeout.
Isn't the sessionState timeout's unit minutes? I feel like with 1500 you wanted to suggest 25 minutes (I assume certainly not 1500 minutes).
1

I know that the question is old, but I resolved it by adding a machine key to the web.config

You can generate a machinekey for the .NET version that you use and add it in the web.config after the authentication section like the attached image.

machineKey added to the web.config

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.