MVC 5 Logout timeout

Question

Users are asked to login every 20 min or so.

One of those situations where don't know where to look. I'm using C# MVC 5 IdentityFramework 1.0.0

I want to make timeout time to 4 hours.

Till now I have tried in web.config:

<system.web>
  <sessionState timeout="2880"></sessionState>
      <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" />
  </authentication>
</system.web>

and in Startup.Auth.sc:

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            ExpireTimeSpan = TimeSpan.FromHours(4),
            CookieSecure = CookieSecureOption.Never,
            CookieHttpOnly = false,
            SlidingExpiration = true,
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login")
        });

What am I missing?

EDIT - SOLUTION

The solution is to put machineKey in web.config under system.web. Key generator can be found http://aspnetresources.com/tools/machineKey

I have also migrated to Identity 2.0 and kept these settings. Migrated using this blog as a guid: http://typecastexception.com/post/2014/07/13/ASPNET-Identity-20-Extending-Identity-Models-and-Using-Integer-Keys-Instead-of-Strings.aspx

Answer 1

Does it happen even if you run the site locally? Take a look at this blog post describing a similar case.

The point from the blog post being:

...remember that Forms Authentication uses the computer’s machineKey to encrypt the Forms Authentication cookie. "Could the machine key be changing over time on my shared hosting server?", I wondered.

Before emailing them to ask, I looked at the documentation on MSDN for machineKey and discovered that there is an AutoGenerate mode that can be set to regenerate a new machineKey each time the host process for a web application starts up…after 20 minutes of inactivity! Ah ha!