I have an ASP.Net MVC app, making use of Forms Authentication, with the following config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="1440" slidingExpiration="true" />
</authentication>
The user count ranges between 20 and 40. Users log in and use the application without a problem...90% of the time.
However, we are finding that on a seemingly random basis, all users suddenly get logged out at the same time, and are presented with the Logon screen again.
The ELMAH log shows that the requests all still have their respective aspxauth cookies, yet the Request.User.Identity is unauthenticated, and has a blank Name.
Please advise where I can start looking as I am at my wits end on this.
Related
We have closed system (Only authenticated users can use system (FormAuthentication))
Unauthenticated users must see entrance page with login option
Our site is multi-tenant (x.com,y.com,z.com runs on same web application)
We can think these:
RouteConstraint (anonymous users are routed to different controller action and that action is outputcached.
CustomOutputCaching: How to turn output caching off for authenticated users in ASP.NET MVC?
IIS level (on web.config maybe).Could we route all unauthenticated users to entrance page (we dont know how)(it must be multitenant and outputcached!)
We can think these. our first goal is Performance.
EDIT
When unauthenticated user try to enter authenticated page it has to get 404 error or root ur direction (not login redirection)
PS:
Sometimes we can get unauthenticated weird web requests (Not ddos but boring..) We are responding them with 404.
There is no problem to serve our entrance page for this type of requests..(performance is first consideration for us)
A simple login page should all you need, which a user will be redirected towards if attempting to access a page that requires authentication, marked with [Authorize]. The Login Actions for the page should [AllowAnonymous].
All you need to do is add this to web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" requireSSL="true" cookieless="UseCookies"></forms>
</authentication>
</system.web>
As for the cross-domain name authentication, that is a separate issue. I suggest selecting one to house your users, and use OAuth for the other domains. However, I will yield to others on that specific part.
My current running configuration looks like this
<sessionState mode="InProc" timeout="30" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" protection="All" name="Auth_Cookie" path="/" slidingExpiration="true" timeout="30" />
so I expect it to at least let the user be logged in for half an hour (if he does not make any requests)
but the session time out is hit like after 3-4 minutes if the user is not active. I mean global.asax's Session_End event is hit in this time and then in Application_PostAcquireRequestState event I check if any session variables are null and if they are then I sign the user out and redirect him to the log in page. I cant see what is the problem. Am I misunderstanding how this whole works ? what should I do in order to achieve what I want. Thanks in advance
From your comment:
I am constantly rebuilding the solution. is that be it ? can it be
clearing session variables ?
So basically you are recycling the application pool killing everything stored in the session. The biggest problem with ASP.NET Session is that by default it is stored in-memory:
<sessionState mode="InProc"
This has the drawback that if the application pool is restarted you will lose everything you stored in it. And don't forget that the application pool could be restarted by IIS at any time. For example after some period of inactivity or if some CPU/memory thresholds are reached. Also if you deploy your application in a web farm, InProc session simply won't work because the nodes of your farm cannot share session information.
All those drawbacks are the reasons why I never use ASP.NET Session in my web applications and simply put this in my web.config:
<sessionState mode="Off"
I've seen this a few times in our logs and users have also reported it to us but have never really gotten to the bottom of the problem.
From time to time, a page will render from output caching with links that have a strange path value in. Say (X(3)S(5l53uwuaffkddojv4iwb3snm)). Presumably this occurs because the first render of the page has these links, and they are therefore cached with them.
This means that all urls on that page look similar to this.
http://www.example.com/(X(3)S(5l53uwuaffkddojv4iwb3snm))/foo/bar/index.htm
This looks identical to this question and the MSDN article "Understand How the ASP.NET Cookieless Feature Works", except that we use sessions or session cookies for our public site, but for 99% of our site, we don't actually use sessions. The remaining 1% uses session cookies for the user experience, so I don't see how this causes a problem with the rest of our site.
This part of the above article seems to reference the issue:
// Step 2: Check if we have already detected that Cookies are not
// supported. This is detected by looking for the string
// "/(X(1))/" in the URL
If (URL-contains-"/(X(1))/")
Report_cookies_are_NOT_supported_and_exit;
Currently the sessionstate looks like this:
<sessionState mode="SQLServer" sqlConnectionString="data source=myDatabase;user id=dbUsername;password=dbPassword" cookieless="false" timeout="10080" />
Anyone have any ideas on how I can resolve this issue? Is there a way we can prevent urls like this from displaying?
Make sure you have forced the usage of cookies:
<sessionState cookieless="UseCookies" />
and for the forms authentication cookie as well:
<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />
If you don't do that and have a client browser which has cookies disabled you will get the aforementioned token in the url.
I have a following scenario: user logs in using google account and then I call FormsAuthentication.SetAuthCookie(name, true);. In my web.config I have
<authentication mode="Forms">
<forms cookieless="UseCookies" name=".someName" slidingExpiration="true" timeout="10080"/
</authentication>
And that's it, no membership provider, no dbo.aspnet_* tables. And that would be fine except sometimes (I don't know why) even when user doesn't close browser and sends requests periodically he becomes non-authenticated again. Can anyone explain why?
And what should I do to make authentication persistent? Would be great if solution wouldn't involve sql server as there isn't any.
I have an ASP.NET 4 site with url's having session string embedded in them. Due to this Google index the same page multiple times, all with different session id's. This is affecting my ranking. Earlier i also had the aspautodetectcookie string appended to the url. But i was able to remove it, however the session id embedded in the url remains a problem still.
If my url is http://www.somesite.com/ViewProduct.aspx?ID=12, it shows up like this http://www.somesite.com/S(yya4h4rf4gjh5eo4uazix2t055)X(1))/ViewProduct.aspx?ID=12. I want it to show like http://www.somesite.com/ViewProduct.aspx?ID=12 all the time.
Here are some settings in my web.config that may help you help me
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/AccessDenied.aspx" name="FORMAUTH" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="15" />
<anonymousIdentification cookieless="AutoDetect" enabled="false" />
Now one user asked to change cookieless="true" to fix the problem. However in the artcle http://www.beansoftware.com/ASP.NET-Tutorials/Cookieless-Session-State.aspx the guy says that by adding cookieless = "true" session id 'will be' embedded in all page URLs.
Can anyone tell me how remove this session from the url - forever.
I am running on IIS 7 but do not have much access to the admin features.
If you set cookieless="false" that will solve the problem you are seeing with Google.
However this means that any browser, which doesn't support cookies, will get a new session per request. If you want more help, please tell us how you are using the sessions.