Session Timeout / Autologout

Topics: Troubleshooting
Jan 14, 2014 at 12:49 PM

Having a heck of a time with something that should be simple. Can't seem to get our orchard site to respect the session timeout settings in IIS. Tried everything I know but the system seems to just ignore session timeout. Login to the the site, wait well over the 20 mins for typical default timeout and expect to get sent back to the login page when I click on something. Site just lets me continue on along remaining logged in. Never had this happen before with other sites but this is our first orchard site. I've set every timeout I can think of in IIS with no effect. I'm guessing I'm missing something basic in the setup of orchard but have no idea what it is.

Can anyone help.
Jan 14, 2014 at 3:31 PM
Quite a coincidence, I also ran into this just a couple of days ago. I did some checking, and Orchard constructs the authentication cookie with a hard-coded expiration time of 30 days, completely ignoring everything that might be specified in Web.config. I asked Sebastien about it at the time and this was his response:

Daniel Stolt: Hi Sebastien - do you know the reason why Orchard has a hard-coded 30 day authentication cookie expiration, rather than respect what's specified in Web.config/authentication/forms/@timeout? I think it's very unintuitive - you configure it in Web.config and expect it to be used, but it's not. I'm sure there's a good reason behind it, but what is it?

Sébastien Ros: it was an early design decision, I don't know, but if I had to guess it would be because web.config can't handle multi-tenant settings, or shouldn't. Having it in code makes it overridable. A possible solution would be to expose the property as public, and use HostComponents.config to redefine it if necessary.

Daniel Stolt: Sounds reasonable. Thanks!
Jan 14, 2014 at 3:37 PM
You will have to forgive the noob. Were you able to correct the situation using the suggested method. What was the property that you exposed and where can I find it.
Jan 14, 2014 at 3:39 PM
We didn't get that far yet. :)
Jan 14, 2014 at 6:20 PM
I'm not seeing 30 days anywhere.
found this ....

(function ($) {
// Some simple settings storage/retrieval
    orchard: {
        __cookieName: "Orchrd", // Orchard, on a diet
        __cookieExpiration: 180, // roughly 6 months
but this does not seem to be associated with the authentication cookie. In examining the authentication cookie during the session, the expiration is set to "SESSION". If I manually delete the cookie, then the site redirects back to the login page. even manually recycling the app pool doesn't do it. Unbelievably frustrating, we on on the last day to deliver a site to a client and I just can not believe this is something we have to deal with. Any ideas would be greatly appreciated.
Jan 15, 2014 at 10:31 AM
FormsAuthenticationService.cs, line 27:
ExpirationTimeSpan = TimeSpan.FromDays(30);
Jan 15, 2014 at 10:36 AM
I have not tested this myself yet, but you might be able to set this by adding some markup to Config/HostComponents.config like so:
<Component Type="Orchard.Security.Providers.FormsAuthenticationService">
        <!-- Set Value to configure authentication cookie expiration to 1 hour -->
        <Property Name="ExpirationTimeSpan" Value="1:00:00"/>