FormsAuthenticationTicket expires too soon

Question

This is my function that is called when a login is successful. (I am very new to this FormAuthentication thing)

public static void CreateLoginCookie(User u)
{
  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(u.Id.ToString(), true, 9*60);
  string encryptedTicket = FormsAuthentication.Encrypt(ticket);
  HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) { Expires = DateTime.Now.AddHours(9) };
  HttpContext.Current.Response.Cookies.Add(cookie);
}

In the web.config I have

<authentication mode="Forms">
  <forms loginUrl="~/Default/Login" timeout="540" />
</authentication>

I want the user stay logged in for 9 hours, but it doesn't work. They get logged out after an hour or two.

Could someone tell me what I am missing?

Answer 1

It may happen because of Application Pool recycling.

Authentication cookie is encrypted with machine keys. It seems that by default these machine keys are generated at each application pool restart. Then your application is idle for some time(configured in application pool settings) your application pool is recycled.

So you need to generate static machine keys.

This question is related to yours: Can a FormsAuthenticationTicket survive an app pool recycle?

Answer 2

Have you looked at modifying the timeout in the web.config file?

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   protection="[All|None|Encryption|Validation]"
   timeout="[MM]"
   path="path"
   requireSSL="[true|false]"
   slidingExpiration="[true|false]">
   enableCrossAppRedirects="[true|false]"
   cookieless="[UseUri|UseCookies|AutoDetect|UseDeviceProfile]" 
   domain="domain name"
   ticketCompatibilityMode="[Framework20|Framework40]">
   <credentials>...</credentials>
</forms>

Answer 3

I've used this snippet and it works for me, take a look at this:

        FormsAuthenticationTicket Ticket = new FormsAuthenticationTicket( 
                                              1,                                        // Ticket version
                                               username,                                 // Username associated with ticket
                                               DateTime.Now,                             // Date/time issued
                                               DateTime.Now.AddDays(1),                 // Date/time to expire
                                               isPersistent,                             // "true" for a persistent user cookie
                                               dataStore,                                // User-data, in this case the roles
                                               FormsAuthentication.FormsCookiePath);     // Path cookie valid for

        // Encrypt the cookie using the machine key for secure transport
        string Hash = FormsAuthentication.Encrypt(Ticket);
        HttpCookie Cookie = new HttpCookie(FormsAuthentication.FormsCookieName, Hash);

        // Set the cookie's expiration time to the tickets expiration time
        if (Ticket.IsPersistent)
            Cookie.Expires = Ticket.Expiration;