My current running configuration looks like this
<sessionState mode="InProc" timeout="30" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" protection="All" name="Auth_Cookie" path="/" slidingExpiration="true" timeout="30" />
so I expect it to at least let the user be logged in for half an hour (if he does not make any requests)
but the session time out is hit like after 3-4 minutes if the user is not active. I mean global.asax's Session_End event is hit in this time and then in Application_PostAcquireRequestState event I check if any session variables are null and if they are then I sign the user out and redirect him to the log in page. I cant see what is the problem. Am I misunderstanding how this whole works ? what should I do in order to achieve what I want. Thanks in advance
From your comment:
I am constantly rebuilding the solution. is that be it ? can it be
clearing session variables ?
So basically you are recycling the application pool killing everything stored in the session. The biggest problem with ASP.NET Session is that by default it is stored in-memory:
<sessionState mode="InProc"
This has the drawback that if the application pool is restarted you will lose everything you stored in it. And don't forget that the application pool could be restarted by IIS at any time. For example after some period of inactivity or if some CPU/memory thresholds are reached. Also if you deploy your application in a web farm, InProc session simply won't work because the nodes of your farm cannot share session information.
All those drawbacks are the reasons why I never use ASP.NET Session in my web applications and simply put this in my web.config:
<sessionState mode="Off"
Related
I have an ASP.Net MVC app, making use of Forms Authentication, with the following config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="1440" slidingExpiration="true" />
</authentication>
The user count ranges between 20 and 40. Users log in and use the application without a problem...90% of the time.
However, we are finding that on a seemingly random basis, all users suddenly get logged out at the same time, and are presented with the Logon screen again.
The ELMAH log shows that the requests all still have their respective aspxauth cookies, yet the Request.User.Identity is unauthenticated, and has a blank Name.
Please advise where I can start looking as I am at my wits end on this.
I have an ASP.NET MVC 4 web application. Running locally, it works fine, but on the web host (which uses shared hosting), the logged on user is frequently logged out by being redirected back to the home page. In most cases, the user is logged out after performing only a few actions.
The web host suggested that my application could be using up too much memory but I used a program to profile the memory usage and I confirmed that it wasn't using excessive amounts of memory - in fact the application seems to use a fraction of the allocated memory on the web host.
Here is the logon method that is used:
public static Boolean Login(string Username, string Password, bool persistCookie = false)
{
bool success = Membership.ValidateUser(Username, Password);
if (success)
{
FormsAuthentication.SetAuthCookie(Username, persistCookie);
}
return success;
}
In my web host, the forms authentication timeout is set to 60 minutes, so that shouldn't be an issue, right?
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="60" />
</authentication>
and my session state timeout value is also set to 60 minutes:
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="60">
Based on the answer here, I added this line also, which didn't seem to solve the issue:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps"></machineKey>
Any ideas to what the problem might be and what I can do to solve the problem?
Your sessions are not timing out. The IIS is crashing. Since you are using in memory sessions, every time IIS crashes, your sessions are gone and the user gets logged out. You should check the server's event views and look into details of errors to find out what the error is.
I set my timeout to 2880 in the authentication timeout for web.config and I also set the sessionState before closing system.web
<sessionState timeout="1440"></sessionState>
This will keep the session active for 24 hours.
I was reading in the following page that continualy WindowsAzure recycle store sessions
Why do my instances recycle when trying to store sessions in co-located Azure cache?
This is my webconfig setting:
<sessionState mode="InProc" timeout="2880" />
I was reading that maybe I have to change the Mode to maintain the session alive, because when I'm using the program, suddenly happens that. Let's going to see later than one hour.
What can I do to avoid this bad user experience?
If you are running multiple instances, then you are losing session data as the load balancer bounces users between instances. The "InProc" setting stores the session data on each individual instance and NOT across instances - read more.
If you want to use co-located cache then your config should look something like:
<!-- Windows Azure Caching session state provider -->
<sessionState mode="Custom" customProvider="AFCacheSessionStateProvider">
<providers>
<add name="AFCacheSessionStateProvider"
type="Microsoft.Web.DistributedCache.DistributedCacheSessionStateStoreProvider, Microsoft.Web.DistributedCache"
cacheName="shared"
dataCacheClientName="shared"
applicationName="AFCacheSessionState"/>
</providers>
</sessionState>
Read more.
UPDATE: Finally, check that you are using a REAL BLOB connection string in your ServiceConfiguration.cscfg file. If the connection string says "UseDevelopmentStorage=true", the deployed role will never be able to create/connect to the cache - it will work locally in the emulator though.:
<Setting name="Microsoft.WindowsAzure.Plugins.Caching.ConfigStoreConnectionString" value="UseDevelopmentStorage=true" />
In my Web.config file, I have been trying to set the session timeout. I used the following code:
<configuration>
<system.web>
<sessionState timeout="1"></sessionState>
</system.web>
</configuration>
When I ran the app, the timeout was still set to the default 20 minutes. Trying to figure out why the settings are not applying. Please help! Thanks!
Don't be confused between ASP.NET session timeout (which is what you set) and Forms Authentication cookie timeout which is something entirely different and controlled by the <forms> tag:
<authentication mode="Forms">
<forms
loginUrl="/login"
timeout="1" />
</authentication>
ASP.NET session uses cookies to track users (it has nothing to do with authentication) and associate their unique id with a hashtable stored on the server. Forms authentication on the other hand is a means of tracking authenticated users in ASP.NET. It uses cookies but it is a different cookie than the ASP.NET session.
I have an ASP.NET 4 site with url's having session string embedded in them. Due to this Google index the same page multiple times, all with different session id's. This is affecting my ranking. Earlier i also had the aspautodetectcookie string appended to the url. But i was able to remove it, however the session id embedded in the url remains a problem still.
If my url is http://www.somesite.com/ViewProduct.aspx?ID=12, it shows up like this http://www.somesite.com/S(yya4h4rf4gjh5eo4uazix2t055)X(1))/ViewProduct.aspx?ID=12. I want it to show like http://www.somesite.com/ViewProduct.aspx?ID=12 all the time.
Here are some settings in my web.config that may help you help me
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/AccessDenied.aspx" name="FORMAUTH" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="15" />
<anonymousIdentification cookieless="AutoDetect" enabled="false" />
Now one user asked to change cookieless="true" to fix the problem. However in the artcle http://www.beansoftware.com/ASP.NET-Tutorials/Cookieless-Session-State.aspx the guy says that by adding cookieless = "true" session id 'will be' embedded in all page URLs.
Can anyone tell me how remove this session from the url - forever.
I am running on IIS 7 but do not have much access to the admin features.
If you set cookieless="false" that will solve the problem you are seeing with Google.
However this means that any browser, which doesn't support cookies, will get a new session per request. If you want more help, please tell us how you are using the sessions.