We have an ASP.NET MVC3 based Web role running on the Azure cloud, using Forms Authentication.
Occasionally we have noticed that users that are logged in will get logged out automatically without any action (while the browser window is open).
Has anyone else seen this? Any ideas as to why this might be happening?
It has been observed on multiple machines for multiple users using multiple browsers.
Thanks!
Not much to go on, here, but...
Are you running multiple instances? If so, did you set up SQL Azure or Cache as your Session Provider? If not, you'd have two sets of session state, and depending on which VM instance you hit, your user's session state may or may not be present.
Is the logout happening after 20 minutes of inactivity? That's the default timeout for the AppPool before it recycles.
Does this happen in the Compute Emulator as well as when you deploy?
Since the windows azure network load balancing doesn't support affinity, each single client request will be redirected to any node instance. If you don't use SQL Azure or Azure AppFabric Cache as Session Provider, each instance will have his asp.net session in-memory. Then each in-memory session will be invisible to other instances.
Most likely either you are running InProc for your Session and when the users go to a new server they are having to log in again or your server is restarting for some reason. If you are using InProc, switch to AppFabric Caching and if you are using that already, log into the box and check the event logs to see if the process is restarting (look for an unhandled exception).
Related
I am in the process of building a Intranet MVC 4 application for our analysts. The goal is to allow internal users access to this application without having to sign on given they are part of our internal network. When they access the application I want to be able to capture their windows user name and check against the active directory using LDAP and retrieve the department they belong to and display the relevant details on the screen. Based on the advice from different fora, I have chosen Windows Authentication for this application and I was able to test the app successfully running from Visual Studio. The trouble I am having is when I deploy this to our UAT server running IIS 7.5.
<authentication mode="Windows">
</authentication>
<identity impersonate="false" />
This is the current state of my Web.config file. Irrespective of whether impersonate is true or false, the application seems to not capture the windows username of the browser from which the application is accessed. Is
impersonate = true
required for this at all? In the Welcome message on the homepage, I always see the windows user name of the computer where the application is hosted/IIS is running. I have tried a wide variety of ways to capture the Windows User name of the incoming user request.
string name = System.Web.HttpContext.Current.User.Identity.Name;
string name = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string name = System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"].Name;
etc. I also looked into several other posts here like this. But I am unable to get it to work. I am afraid that I am trying to achieve this by accident rather than really understanding what is going on? Could someone please guide me in the right direction?
No, you misunderstand the purpose of impersonation.
First, Impersonation is no longer supported in IIS 7 or greater running in integrated mode.
Second, the purpose of impersonation is to change the "user" the worker process runs under at runtime, specifically to allow access to filesystem or database resources as that user. It has nothing to do with authentication in general, and is not particularly useful for most web applications.
You want to use Windows Authentication, however you should know that this will only work with Internet Explorer. It will also only work with servers that are joined to your domain, and do not have any intermediary Kerberos authentication issues. (these are often known as "double hop" problems). Other browsers do not, by default, provide Active Directory account information automatically, although some may be configured to allow it to do so, others do not.
If you are using a properly configured server with Windows Authentication, and you are using a browser that supports ActiveDirectory Kerberos ticket passthrough, and there are no network issues that would cause problems with this passthrough, then you can use HttpContext.Current.User.Identity.Name to get the users name.
Don't use LogonName or anything like that, as those will just give you the worker process, not the authenticated users name.
I have a MVC3, ASP.NET 4.5 web application deployed on Azure Websites, using SQL Azure.
Currently I am using some "inproc" Session variables which I need to remove since I am going to start using multi website instances. I could just store the Session variable values in the SQL Azure DB, but I am also using TempData, which also uses Session state, "under the bonnet". Due to TempData use, I do need to implement an "out of proc" session solution.
I have seen some recommendation for using AppFabric caching, but I am unsure whether this is still current, and whether it is correct for Azure websites.
Also my development setup is on a Windows 7 machine with SQL Server 2008 R2. So a solution should be transferable with minimum pain.
There is also a "thread agility" issue with session variables, and a open source solution has been created using REDIS caching, but I have no experience of this, or REDIS. See: GitHub site
So thoughts I have are:
1) Angieslist/AL-redis custom provider, see: GITHUB link . Not entirely sure that this can be used in a Azure Websites application.
2) Appfabric. Not sure if this is relevant or current for Azure Websites.
3) SQL Azure session provider.
4) Azure Table storage.
5) Use a custome TempData provider to persist via cookies ie https://www.nuget.org/packages/BrockAllen.CookieTempData.dll/1.2.2, and then remove other session variables.
I would be very grateful for advice on a good Azure Websites session implementation mechanism which is simple. My data is pretty simple. I think I have one object which I quess I will need to serialize, probably via Json.NET
If you have more than one instance of an Azure Web Site, sticky sessions are enabled by default by the load balancer. This means that a user will be directed to the same instance (server) and that you'll be able to use session state in your app.
You may also find the Distributed Caching section (Ch 12) of this ebook helpful http://aka.ms/CloudApps_PDF
I need to know the best practices for deploying a new version of an ASP.NET MVC application while users are still connected to it
Everytime one deploys the .dll that contains the models and controllers of the application, the application is rebooted. Also deploying the web.config (that references eventually new libraries) results in rebooting the application.
So, the question is: how do I update the application's dll or web.config without disconnecting the users from the site?
You want to use another session state option other than using in-proc so your users survive when the process recycles or system reboots.
InProc: In-Proc mode stores values in the memory of the ASP.NET worker process. Thus, this mode offers the fastest access to these values. However, when the ASP.NET worker process recycles, the state data is lost.
See ASP.NET Session State Options for more ASP.NET options and mentions of other third party session state providers.
This question also deals with possible deployment scenarios to help with the websites under load and slow app times after a pool recycle: How are people solving app pool recycle issues on deployment with large apps?
Ideally you want to be as stateless as you can, and stay away from session. Perhaps you can use a cookie for tracking the current user via forms auth for example. But you must stay away from in-proc by using distributed cache/session provider so users won't lose session state on app pool recycles.
I think the best is to deploy a new site for new sessions, and mantain existing sessions in the old one.
I feel that "The blue green deployment strategy" article linked below can be hacked with a few changes to do that (Disallow New Connections instead of issue a "drain", using sticky sessions).
https://kevinareed.com/2015/11/07/how-to-deploy-anything-in-iis-with-zero-downtime-on-a-single-server/
I understand that Spring Security's HttpSessionSecurityContextRepository makes use of HttpSession.
Furthermore, I have read that PaaS such as CloudFoundry try to avoid session replication for the purpose of scalability.
I intend to deploy an application to the CloudFoundry PaaS.
Are there issues with using HttpSessionSecurityContextRepository on CF?
CloudFoundry documentation simply says that HTTP Sessions are not replicated across instances by default. All this means is that applications deployed on multiple instances will be unable to use any sort of HTTP session clustering by default. HTTP sessions become sticky, that is, all HTTP requests in the same session will be routed to the instance on which the session for the request resides. In case an instance fails, users who had active session on that instance will be migrated to other instances but they will lose their session information, which will mean they will have to login again.
This does not mean it is unsafe to use Spring Security in such an environment. The semantics with Spring Security will be the same as those without it. Once a user has logged in, they will continue to access the CloudFoundry instance on which their session was created. If that instance crashed, they will be automatically ported to another instance but will have to login again.
If the default set up (without session replication) is a concern, it is certainly possible to share sessions across instances. CloudFoundry forums list two ways of achieving this - via Redis and using JDBC. It is also possible to implement your own solution using one of the CloudFoundry services.
I have a MCV3 application in godaddy serves and the session is quite unstable.
When I login it works fine but while navigating in the application it logs me out, and hitting refresh or navigating a little more inside the application in logs me in just like that (without asking credentials or anything). On my remote test servers and local in works fine.
This is probably not a session issue but rather an authentication cookie/ticket issue. GoDaddy (most likely) has their servers load balanced. Meaning that your application actually exists on more than one server at a time.
In your web.config, if you are not properly defining the <machineKey> attribute, then IIS makes up a machine key for you. Each server running the application will make their own machine key if it is not defined by you. As a result, one server is able to decrypt and read your authentication ticket, while the next request goes to another server which cannot decrypt the authentication ticket because it was encrypted with a different key and this server thinks that you are not logged in.
To address this issue, open your web.config file and define your <machineKey> attribute and redeploy. Once you login with the newly deployed application, you should see this issue disappear.
Forms authentication and Machine Key information on MSDN
Machine Key Generator (Most likely, everyone going here should use the .NET 2.0 version that is generated)