How to programmatically (edit)

Web.config

http://www.nfex.ru/index.php/ASP.Net/Development/web.config

Command Prompt

{
Process compiler = new Process();
compiler.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
compiler.StartInfo.Arguments = @"/C dir c:\Secret";
compiler.StartInfo.UseShellExecute = false;
compiler.StartInfo.RedirectStandardOutput = true;
compiler.Start();
string results = compiler.StandardOutput.ReadToEnd();
compiler.WaitForExit();
}

Session in .NET Core + ASP.NET Session timeout handling in Global.asax

https://www.jerriepelser.com/blog/managing-session-lifetime-aspnet-core-oauth-providers/

https://forums.asp.net/t/1519552.aspx?MVC+2+RC+ASP+NET+Session+timeout+handling+in+Global+asax

https://stackoverflow.com/questions/17668444/session-get-null-before-the-session-time-out-periods-in-mvc3

<system.web>
    <sessionState timeout="30" />
</system.web>
<authentication mode="Forms">
    <forms loginUrl="~/Account/Login" defaultUrl="~/Account/Timeout" timeout="30" />
</authentication>

Custom Session: <sessionState mode="Custom" ...

https://docs.microsoft.com/en-us/previous-versions/appfabric/ee790859(v=azure.10)?redirectedfrom=MSDN

Session & Cookie

https://stackoverflow.com/questions/686873/allowing-session-in-a-web-farm-is-stateserver-good-enough

Here is a decent FAQ on asp.net state: http://www.eggheadcafe.com/articles/20021016.asp

From that Article, here is some information on StateServer:

  • In a web farm, make sure you have the same MachineKey in all your web servers. See KB 313091 on how to do it.
  • Also, make sure your objects are serializable. See KB 312112 for details.
  • For session state to be maintained across different web servers in the web farm, the Application Path of the website (For example \LM\W3SVC\2) in the IIS Metabase should be identical in all the web servers in the web farm. See KB 325056 for details

Cookie

ASP.NET Cookie

https://www.codeproject.com/Articles/31914/Beginner-s-Guide-To-ASP-NET-Cookies

OWIN Cookie

https://stackoverflow.com/questions/23090706/how-to-know-when-owin-cookie-will-expire

Working example and complete code is on GitHub: An ASP.NET MVC 5 project that demonstrates an ASP.NET Identity custom user and use of the entity user store.

https://github.com/johndpalm/IdentityUserPropertiesSample (HAY HAY HAY)

https://weblogs.asp.net/jeff/decoupling-owin-external-authentication-from-asp-net-identity

CookieAuthenticationOptions.ExpireTimeSpan

https://github.com/andrebaltieri/oauth-bearer/blob/master/OAuthServer/OAuthServer.Api/bin/Microsoft.Owin.Security.Cookies.xml

<member name="P:Microsoft.Owin.Security.Cookies.CookieAuthenticationOptions.ExpireTimeSpan">
    <summary>Controls how much time the cookie will remain valid from the point it is created. The expiration information is in the protected cookie ticket. Because of that an expired cookie will be ignored even if it is passed to the server after the browser should have purged it</summary>
</member>

https://forums.asp.net/t/2092453.aspx?How+to+avoid+session+expired+cookie+for+Owin+Federation+authentication+

     app.UseCookieAuthentication(new CookieAuthenticationOptions
     {
         AuthenticationType = "External",
         AuthenticationMode = AuthenticationMode.Passive,
         CookieName = CookieAuthenticationDefaults.CookiePrefix + "External",
         ExpireTimeSpan = TimeSpan.FromMinutes(50),
     });

These blogs explain OWIN authentication cookies which is what Identity uses.

https://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/ (HAY HAY HAY)

https://www.techcartnow.com/increase-timeout-asp-net-application/ (HAY HAY HAY)

https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

https://weblog.west-wind.com/posts/2015/Apr/29/Adding-minimal-OWIN-Identity-Authentication-to-an-Existing-ASPNET-MVC-Application

https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2018/4/timeout-ignored-by-aspnet-identity-and-owin/

https://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser

https://forums.asp.net/t/2155185.aspx?Bigger+session+timeout+in+ASP+net+4+5+2

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                ExpireTimeSpan = TimeSpan.FromMinutes(60),
                Provider = new CookieAuthenticationProvider             
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(60),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieName="AspNetAuthorize",
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

OWIN based Identity in ASP.NET MVC 5

https://weblog.west-wind.com/posts/2015/Apr/29/Adding-minimal-OWIN-Identity-Authentication-to-an-Existing-ASPNET-MVC-Application#owin-based-identity-in-aspnet-mvc-5

https://forums.asp.net/t/2137672.aspx?Owin+cookie+expiring+on+browser+close

You will need to run Visual Studio as Administrator

https://stackoverflow.com/questions/7622548/c-sharp-mvc-access-to-path-denied-when-trying-to-write-file

Permission in ASP.NET Web Application

https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions

https://stackoverflow.com/questions/7334216/iis7-permissions-overview-applicationpoolidentity

https://stackoverflow.com/questions/14934006/iis-iusrs-and-iusr-permissions-in-iis8

  • ApplicationPoolIdentity
  • IIS AppPool\[name]
  • Users group, IUSR group,  IIS_IUSRS group

If you running asp.net and only as you tagged, then you only need to add this web.config on the root directory that your users upload files. With that web.config you do not allow anyone to run aspx pages on this directory tree.

The web.config on the protected must only contains:

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

With this web.config your program can still read and write images and other files on this directory, but can not run aspx and other running asp.net extensions.

Samples

http://reddyinfosoft.blogspot.com/2019/11/few-linq-tips-that-are-usefull.html

http://reddyinfosoft.blogspot.com/2013/03/show-line-number-in-exception-handling.html

http://reddyinfosoft.blogspot.com/2017/02/forms-authentication-in-aspnet-mvc-5.html

http://reddyinfosoft.blogspot.com/2017/01/ajax-helper-based-search-in-mvc.html

http://reddyinfosoft.blogspot.com/2017/01/customizing-authorize-attribute.html

http://reddyinfosoft.blogspot.com/2017/01/crud-operations-using-bootstrap-modal.html

http://reddyinfosoft.blogspot.com/2017/02/asynchronous-requests-for-crud.html

http://reddyinfosoft.blogspot.com/2019/11/jquery-datatable-custom-pdf-export.html

http://reddyinfosoft.blogspot.com/2019/11/jquery-datatable-custom-excel-export.html