AuthenticatedUser set to public after a short period of inactivity

Antony V asked on November 23, 2017 22:32

I have some logic that opens a custom page in a modal dialog when a user triggers a certain event on the host page in the Pages app. Everything works fine, but if a user is has been inactive for just a couple of minutes, then opens the dialog, he gets an "access denied" error because MembershipContext.AuthenticatedUser as well as CMSPage.CurrentUser return 'public' instead of the real user's object. Refreshing the browser or switching to a different page in the tree, then returning to the original page, restores the user's context, but it's a huge nuisance, especially when the inactivity period is so short. How do I prevent this behavior?

We use AD authentication, so authentication mode is set to Windows in the web.config. Here are the the membership and roleManager elements:

<membership defaultProvider="CMSProvider" userIsOnlineTimeWindow="30">
  <providers>
    <clear />
    <add name="CMSProvider" type="CMS.MembershipProvider.CMSMembershipProvider" connectionStringName="CMSConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" />
  </providers>
</membership>
<roleManager defaultProvider="CMSRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All">
  <providers>
    <clear />
    <add name="CMSRoleProvider" type="CMS.MembershipProvider.CMSRoleProvider" connectionStringName="CMSConnectionString" applicationName="SampleApplication" writeExceptionsToEventLog="false" />
  </providers>
</roleManager>

I looked at when CMSWindowsUser cookie gets accessed, and there appears to be no correlation. It's set to expire on Session, and the session is active from what I can tell. The value of the SessionId stays unchanged.

Finally, I can see that, after a refresh, the value of IPrincipal.ExpireDate is indeed set to 30 mins into the future, as per web.config. However, just a couple minutes later, when the dialog is opened again, the value if IPincipal changes: Name="" and IsAuthenticated=false.

Recent Answers

Brenden Kehren answered on November 25, 2017 20:26

Have you checked the authentication settings within the Settings app? That may be signing your users out. I believe the default is 20 minutes.

1 votesVote for this answer Mark as a Correct answer

Antony V answered on November 28, 2017 01:13 (last edited on November 28, 2017 01:17)

Are you referring to the screen lock interval under Protection? Screen lock is disabled, since it's irrelevant with AD auth. In any case, the interval is set to 20 mins.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.