OpenID often requires either the relying party or the provider to maintain some state on the user while an authentication is in progress -- even while the user is away from your web site. To avoid running out of memory on your server, this state must be purged after a reasonable length of time. This results in individual users who take longer than that time limit to login to end up seeing a "you took too long" error message and have to start over (and be faster the next time).
There is a balance between scalability and user-friendliness when setting this time limit.
If the default time limit of 5 minutes is not working out for your web site, you can customize it by modifying your web.config file. In the below example, we increase the time limit to 8 minutes.
<configuration> <configSections> <section name="dotNetOpenAuth" requirePermission="false" allowLocation="true" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection" /> </configSections> <dotNetOpenAuth> <openid maxAuthenticationTime="0:08" /> </dotNetOpenAuth> </configuration>
Note that your web.config file is expected to be much larger than this, but we're only showing the relevant bits here.
