Users are logged out randomly from the application (after implemented 2FA) - asp.net-mvc

I have a strange situation in the live environment and it is imposible to figure out what is the issue.
The users complain about the fact they are logged out after a random time.
On the client side it is an ASP MVC application that runs in IIS. Regarding the server side, it is and .net WebApi application that also runs in IIS. This is the session settings from web.config file of the client app:
<sessionState cookieless="false" mode="InProc" timeout="120" />
Even if I have set 120 minutes in config or in IIS advanced settings, they got the logout.
I have a recycle process set at 01:00 in the middle of the night. I have checked the logs files from EvenViewer and there are no other recycle processes trigered, only that one from the middle of the night.
The idea is that I can't reproduce it on my local machine. It happens at any time during the 120 minutes that are configured.
Few weeks ago, I have implemented a mechanism for 2FA using the following library: https://github.com/RobThree/TwoFactorAuth.Net and a functionality "Trust this browser for the next 30 days" in order to skip the MFA authentication if the user want this. Actually, I just keep and expiration date in a cookie in order to know when should I reset the option and ask again the user for a new authentication code. Don't know if it is related to this, but they told me that they encountered this situation after I released that 2FA implementation.
UPDATE After I read more articles in order so solve this issue, I want to add that the aplication is hosted in AZURE. Maybe this information helps.
UPDATE Advanced settings from IIS
UPDATE This are session state settings
Any suggestions would help. Thanks in advance.

Related

How to fix the windows authentication delay in Production environment for Asp.Net MVC application

We have deployed the ASP.MVC application in Production environment as same set up as Test environment. Test environment is taking 10 -20 seconds to authenticate the users through windows authentication but in Production which is taking 60-80 seconds to authenticate the users.
We have added some logs in code and found that after 60-70 seconds only application is started after hitting the URL in browser (code is executed).
Could anyone help us to check and resolve this issue?
To confirm whether windows authentication is taking time or not ,we have added verbose logging to check the execution time of each method. IIS version is 8.
Windows authentication should not take more time to load the home page.
Home page has no functionality to display or read data from database which has some text box to search.

Form authentication problem with multiple IIS worker processes

I'm running an asp.net mvc5 application on a shared hosting environment (a2 Hosting). I ran into a problem where users get randomly un-authenticated when browsing pages WAY before session timout or expiration should be reached.
I tried playing with applicaiton pool configurations to fixed the problem and finally find out that this was related to numbers of worker processes. When the maximum number of worker processes is set to 1, no more disconnection problems.
My appliciation use real basic from authentication. The only customizing I did was usins a custom Principal object to store extra data in authentication cookie. I DON'T use Session in the application so this can't be the problem.
Set it back to 1. Why you shouldn't use web gardens: https://www.youtube.com/watch?v=9bOTesCnszo
For enabling multiple IIS worker processes.
Go to Services & find Asp.Net State Service Set it to Startup
Automatic
Open IIS Manager Goto Web Application, right click and select Explore, this will take you to the folder, find web.config file & edit this file in notepad and Change Session State to State server and Save the web.config file.
Now edit the app pool by right clicking on it & select Advanced settings and find Maximum Worker processes & change the value & change load user profile to true. Click on OK. Open command prompt as Admin and run an "IISRESET" after complete, TEST.
This helps to boost overall application performance.

MVC 4 app users sometimes get logged off when creating new item in production

I have an MVC 4 app and am using the default authentication provider. I'm not using persistent cookies.
I don't have any problems in development but when hosted at HostGator, I SOMETIMES get logged off when I try to create a new item (HTTP POST). When this happens, I end up at the log on page like I wasn't authenticated.
HostGator does NOT have the app on multiple web servers so I'm thinking I shouldn't have to worry about machinekey stuff. Am I wrong?
When this happens, I just log in again and create the item again and it will succeed. Once this happens, I can't recreate the issue. I try reopening the browser and even different browsers but creating items will always work. It only seems to happen again if I try much later.
Some additional info, the timeout is set to 2880 (the default for an MVC project), which I know is long but I can't see how it would be related. Still, thought I'd mention it.
So I can't look at IIS logs or event viewer to get any idea what could be happening but I can add more logging to the app. Can anyone provide ideas for what to check or what logging to add to diagnose?
Thanks
EDIT
I realized that I could get to the IIS logs so I compared the POST that succeeded and the one that failed and immediately noticed something.
When I first did the GET to load the Item/Create page/view, the cs-username was populated but when I did the POST to create the item, it was gone. I can see that when I logged in again and was able to successfully create the item, that POST did have the cs-username populated.
Why would it disappear between the GET and the POST? There was a 7 minute delay from the GET to the POST but I can see I logged on 1 minute before the GET so the session was only 8 minutes old when the post happened. I've double checked that I don't have sessionstate explicitly configured so the default should be 20 minutes. I feel like I'm onto something but not sure exactly what.
Might be worth adding Glimpse, although running that on deployed code is kinda risky. It would have the benefit, though, of letting you see what's actually happening on the server. I've never used HostGator, so I can't say for certain, but if they recycle app pools aggressively, that would invalid your login, and explain why the logoff seems to happen randomly.

Does ASP MVC use a cached production database?

Someone changed my admin password that I use to login to my website. I changed it back, and I can now log in to the MVC site on localhost. However, it won't log in on the server when I publish the site out. This happened yesterday, too, but eventually the production server started letting me log in again. They both use the same database. There seems to simply be a a time delay or some sort of caching going on here. Does ASP MVC do something like this? Does anyone know how to refresh it so that I can log in to both sites again?
Thank you.
Entity does have cache of it's own. But I think your problem depends on whether you enable it.
So I suggest you learn more about the cache and check if you enabled it or not~
You can find more about Entity's cache here
The answer to this question, as stated by Mike McCaughan, was this:
The server will cache connections in a connection pool. To refresh,
restart your application pool in IIS.

Random Session Timeout in ASP.NET MVC3

i have an application which gets random session timeouts. (IIS 7.5 on Windows 2008 R2, .NET 4.0)
i tried the following:
checked the application log if the w3wp.exe process was crashed, but there is no entry.
disabled in the application pool the rapid fail protection
moved to the sql server state provider to be sure the loadbalancers sticky session is not
the problem. (we use a kemp loadmaster).
ensured that no other applications use the same application pool.
checked that exceptions in a thread of a called assembly is correctly handled. (simulated using throw new exception) and the error handling was correct.
ensured that the validationKey and decryptionKey is set in the webconfig on all 4 webservers to the same key.
i run now out of ideas how to spot this evil bug. any suggestions? i cannot reproduce the problem on my local machine in the debugger.
one point which is maybe important, the move from page 1 to page 2 where the session loss often happens, takes sometimes more than 120 seconds, because of a third party system which is connected via tcp socket.
HI Snoopy you linked to my question as they are similar,
As my appool was crashing I tried this solution. If your appool crash's this may help
http://support.microsoft.com/kb/911816
the solution stop fix hack kept my app-pool up but didn't fix the problem,
<configuration>
<runtime>
<legacyUnhandledExceptionPolicy enabled="true" />
</runtime>
If your app-pool is still intact you might try ELMAH as this helped me a lot
http://code.google.com/p/elmah/
you can use this code to get ELMAH to handle unmanaged exceptions
http://code.google.com/p/elmah/issues/detail?id=199
I am curious if it is MVC 3.0 problem with .net 4.0
as i have several very similar apps running using MVC 2.0 with no problems,
Only started when I moved to MVC 3.0
Does it happen on a single server? Sure sounds like an issue with the web-farm.
Can you alter your app so you don't use the 3rd-party app for testing?
You have to eliminate pieces until the failure goes away, then add stuff back. Restore 3rd party app, turn other servers back on, etc.

Resources