I restarted my production webserver tonight because it was seeming slow. Since it has come back up, no users are able to get to any views with the [Authorize] attribute on them.
There has been absolutely no code changes since November. Not a single tweak or modification of any kind. I'm using the SqlMembership provider and I originally thought the issue was there with the login, but I can see that the call to MembershipProvider.ValidateUser() passes successfully (looked at a SQL trace as well as some logging). After login, I redirect the user to a view decorated with [Authorize] and get denied.
One thing to note that even makes this more strange is that if I register a new user (who gets logged in as part of the user creation process), they are able to get to [Authorize] pages just fine. But if they log out, they are unable to access the [Authorize] pages once they log back in.
I'm pulling my hair out on this one. My production site is down and literally the only thing I did was a simple server restart. I've searched around for hours and at this point have no clue what to even look into next.
If anybody has a some ideas I'd greatly appreciate them - I'm at a complete loss and have a ton of users impacted.
Well, a few windows updates later the issue fixed itself. My guess is there was an update applied but pending reboot that hosed everything up when I restarted. Then when it came back the system found a bunch more windows updates to apply. I ran through these and it fixed the problem upon the next reboot after these were applied.
Related
I have a very peculiar problem at the moment.
We have a MVC system with 10 users working simultaniously. Everything is working fine to a point, and then for no apparent reason, the system change one user's session id (the Chrome Browser session id) to another users' session id.
As a result the system then starts behaving very badly (which I think is obvious).
What could possibly cause this to happen ?
Any help would be much appreciated.
Regards
I have a requirement to inform every user to save their work and logout so that admin can reset iis or do some changes in the asp.net MVC application server.
looping through session object collection is not thread safe that is what i have learned.
any other ideas?
and even if i can get hold of active sessions how do i send a message to those clients ?
thanks in advance.
Save the message in a database and query the database for every request to see if a message exist.
This seems like a poorly-defined requirement.
Serious maintenance should be done at a specific time, and users should be alerted to that time window well in advance.
Simply restarting IIS is a pretty quick procedure... is there any reason users would lose their work when simply restarting IIS? While I've been filling out this StackOverflow answer, for instance, they could have restarted the server a dozen times. Once I hit Post, if the server is down, it'll either timeout and leave my work in the textarea, or else it will connect successfully if the server is back in time.
If I'm not submitting data, but just clicking a link, the same applies: either the browser times out, in which case a simple refresh is enough once the server is back up, or it eventually takes the user where they want to go.
If you're doing pure AJAX requests you will need to handle a missing server yourself, rather than relying on the browser to do it, but you'd need to work that out anyway because of the Eight Fallacies of Distributed Computing #1: "The network is reliable." (see http://en.wikipedia.org/wiki/Fallacies_of_Distributed_Computing)
So, I'd actually push back on that requirement. They're asking you to do something that won't really meet the need (users don't lose data, have a reasonably good experience), that will become complicated, and that will be a brittle solution in the end.
Sounds like a case for SignalR!
https://github.com/SignalR/SignalR
So logging in to my site has suddenly stopped working... I haven't changed the login form and yet every time I try to log in now it comes back with 'Invalid email or password'. Using a password reset link allows me to change the password and logs me in but if I log out again and try using the password I just set it doesn't work.
I'm absolutely tearing my hair out, I've run out of ideas and it's 2am here so everything's looking pretty bleak. Just some ideas about how I might debug the problem would be great.
Thanks!
So, as is often the case, this was just me being an idiot. Note to self: don't just casually run bundle update without thinking about it and without specifying the actual gem you're interested in, unless you've got a lot of free time and a plentiful supply of Prozac.
When I do get around to deliberately upgrading Devise, this is what I'll need: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
It's great working from home, riding solo on projects, but I do miss being part of a team - just having someone to talk to about issues that crop up really helps and keeps you out of a mental rut. StackOverflow is my team now, you lucky people, I'll make the coffees.
If the password is correct and you can't login then it points to maybe your password salt or password pepper logic having changed?
In the future, you should have a request test on you signup form so you can catch this when your code changes. Writing a test might help you debug your issue as well. I recommend Capybara for integration testing.
Occasionally when we go from the "Export Grades to SIS" link in D2L back to our SIS, using the REST API in our SIS to get the grades from D2L, somewhere in the going back and forth between systems, the browser gets lost and simply goes blank. I think the problem is happening in the final hand-off from D2L to our SIS--that seems to be the point where the browser loses track of where it is. When this happens, our SIS continues to act as if it thinks everything is still working correctly--it does pull grades through the REST API, and does everything it is supposed to do. But the browser session has gone blank, and never shows anything from either D2L or our SIS after that, so the user will not know what is going on.
This happens roughly one out of every 6-8 times we test the link between D2L and our SIS. I don't see a definite pattern, at least not yet.
Any ideas what we are doing wrong? What sorts of things should we be looking at to try to determine where the browser is getting lost?
If it is an operational issue with a server it is probably best to open a support ticket with Desire2Learn.
we've implemented a system similar to the one described in this other SO post. Basically, if the user doesn't do anything for 14 minutes, we prompt them that they will be logged out. If they click on "keep me logged in" we do an ajax request to keep their session alive, otherwise, they are redirected to the logout page after a minute.
It works pretty well, and is inline with similar systems employed at sites like mint.com and bankofamerica.com. The only problem is that our application's users tend to have multiple tabs open to refer back and forth to different pieces of data. So the problem is that they may be actively working in one tab, but then the other tab times out and logs them out. This causes an abrupt session timeout for the user when they were not expecting it. btw, mint.com has this same issue.
So I was wondering if anyone had any ideas to combat this?
I have one idea, each request could set a "last active time" cookie. Upon auto-logout, the server could check this last active time and if it's relatively recent, avoid logging them out. The manual logout would of course ignore this cookie so if the user wants to log out he can do so at any time. However, I'm afraid that this may be exposing some sort of security risk that I'm not able to see at this point. Thoughts?
Before showing the pop-up, ask the server how long ago the user has done his last request.