Extending logged in time as per user's choice.
Scenario: The ASP.NET MVC 5 web application is hosted in Azure WebApp WebConfig is set to timeout in 60 minutes of no requests made to the server as shown below
WebConfig:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
In the login screen, we would like to provide a CHECKBOX and if user ticks it and login, the webapp should not log them out for next 12 hours even if there is no activity.
So far, I have tried a javascript timer running on the _layoutpage.chtml and a local storage time value registered at loggged in time at the client side. The javascript timer will ping to the server every 20 minutes to keep the login alive. This is not always working for multiple reasons like browser, machine sleep mode, hard disk turnoff internet interruptions and other unknown reasons as well etc. There is also an issue we have to overcome regarding sliding expiration vs javascript pinging .https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.slidingexpiration?view=netframework-4.8 I am also open to solutions involving server handling as well. Hoping a client side solution will incur less modification in our existing app.
Well.. that is a tricky question - simply love it!
Why is it tricky? Because ASP.NET config
rules are mostly static and apply to the entire project. That's why a default timeout of 60 minutes
will affect every user as a general policy.
The most straight forward solution (without touching your web app internals) will be to define 2 forms - one for regular users (will be kicked off after 1 hour) and another form with extended timeout. Of course - that will make a UI change as well (instead of checkbox you will need to use a link that redirect user to a different form). It's not a very elegant solution but it will work
Problem is that every config section can have only a single <forms>
tag (which is very odd - the directive itself is in plural). Following this post there is a way to bypassing this issue by declaring 2 sections with 2 different working folders.
So yes - elegant solution is off the table but it's still possible and will work without touching ASP.NET internals
- which I consider as positive. The overall solution may look like this
web.config
file define 2 different working folders (using the <location>
directive)the web.config
file should look something like this:
<location path="/{MAIN_FOLDER}">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
</system.web>
</location>
<location path="/{EXTENDED_LOGIN_FOLDER}">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/ExtendedLogin" timeout="720" slidingExpiration="true" name="MYAUTHDV" cookieSameSite="None" requireSSL="true" />
</authentication>
</system.web>
</location>
Again - it is not pretty but it's logical - for 2 different behaviors we use 2 different configurations in order to define how every behavior should react. Any other solution will request custom implementation and as far as I concern - you want to avoid this in the first place.
And on a personal note: please share here your final solution to help others in the future as well. thanks