Random Session Timeout in ASP.NET MVC3 - asp.net-mvc

i have an application which gets random session timeouts. (IIS 7.5 on Windows 2008 R2, .NET 4.0)
i tried the following:
checked the application log if the w3wp.exe process was crashed, but there is no entry.
disabled in the application pool the rapid fail protection
moved to the sql server state provider to be sure the loadbalancers sticky session is not
the problem. (we use a kemp loadmaster).
ensured that no other applications use the same application pool.
checked that exceptions in a thread of a called assembly is correctly handled. (simulated using throw new exception) and the error handling was correct.
ensured that the validationKey and decryptionKey is set in the webconfig on all 4 webservers to the same key.
i run now out of ideas how to spot this evil bug. any suggestions? i cannot reproduce the problem on my local machine in the debugger.
one point which is maybe important, the move from page 1 to page 2 where the session loss often happens, takes sometimes more than 120 seconds, because of a third party system which is connected via tcp socket.

HI Snoopy you linked to my question as they are similar,
As my appool was crashing I tried this solution. If your appool crash's this may help
http://support.microsoft.com/kb/911816
the solution stop fix hack kept my app-pool up but didn't fix the problem,
<configuration>
<runtime>
<legacyUnhandledExceptionPolicy enabled="true" />
</runtime>
If your app-pool is still intact you might try ELMAH as this helped me a lot
http://code.google.com/p/elmah/
you can use this code to get ELMAH to handle unmanaged exceptions
http://code.google.com/p/elmah/issues/detail?id=199
I am curious if it is MVC 3.0 problem with .net 4.0
as i have several very similar apps running using MVC 2.0 with no problems,
Only started when I moved to MVC 3.0

Does it happen on a single server? Sure sounds like an issue with the web-farm.
Can you alter your app so you don't use the 3rd-party app for testing?
You have to eliminate pieces until the failure goes away, then add stuff back. Restore 3rd party app, turn other servers back on, etc.

Related

Users are logged out randomly from the application (after implemented 2FA)

I have a strange situation in the live environment and it is imposible to figure out what is the issue.
The users complain about the fact they are logged out after a random time.
On the client side it is an ASP MVC application that runs in IIS. Regarding the server side, it is and .net WebApi application that also runs in IIS. This is the session settings from web.config file of the client app:
<sessionState cookieless="false" mode="InProc" timeout="120" />
Even if I have set 120 minutes in config or in IIS advanced settings, they got the logout.
I have a recycle process set at 01:00 in the middle of the night. I have checked the logs files from EvenViewer and there are no other recycle processes trigered, only that one from the middle of the night.
The idea is that I can't reproduce it on my local machine. It happens at any time during the 120 minutes that are configured.
Few weeks ago, I have implemented a mechanism for 2FA using the following library: https://github.com/RobThree/TwoFactorAuth.Net and a functionality "Trust this browser for the next 30 days" in order to skip the MFA authentication if the user want this. Actually, I just keep and expiration date in a cookie in order to know when should I reset the option and ask again the user for a new authentication code. Don't know if it is related to this, but they told me that they encountered this situation after I released that 2FA implementation.
UPDATE After I read more articles in order so solve this issue, I want to add that the aplication is hosted in AZURE. Maybe this information helps.
UPDATE Advanced settings from IIS
UPDATE This are session state settings
Any suggestions would help. Thanks in advance.

VS2013 RTM making once per second Signal R requests when I check with fiddler

When I check with Fiddler I see my new install of VS2013 is giving Continuous Signal R requests. I don't use anything to do with this in my application. How can I stop these requests which I assume are part of VS2013 trying to sync up something?
It's probably due to the BrowserLink feature mentioned here. BrowserLink uses SignalR to communicate between VS and your browsers.
Maybe log out of VisualStudio? It might also help if you tell us where VS is communicating to...
There seem to be two additional calls made by the browser-link:
a one off call made on a page render, on the same port as the site exchanging information about the mapping between Razor views and the elements. This call has __browserlink at the start of the URL.
a periodic call as part of the SignalR synchronisation. This has SignalR about 30 characters into the URL.
The former, a single call, I can live with. The other fills up my capture history.
To avoid this, in fiddler I've used the 'Hide the following Hosts' option in the Filter Tab and put something like localhost:62533 in the text box. Note that port number seems to change with each restart of VS2013.
As long as the 'Use Filters' is checked, I still see the traffic I want to (plus a one-off call for __browserlink).

Redirect issue with Jasig CAS and Websphere

We currently have a set up with a load balancer carrying out SSL offloading, an http server and a websphere app server. Having got over the initial hurdle of the offloading preventing CAS from thinking it was running under https (which we got around by using the httpsIndicatorHeader variable), we now have another issue. Despite the fact we can see CAS redirecting to the target application, the 'handshake' seems to fail, showing a loop of tickets being generated and tried, but never actually validating, and the target application is never reached. There do not seem to be any errors being generated however.
Has anyone experienced anything similar before?
Cheers,
Rob
After investigation, the problem was that the application redirect url set up in websphere was pointing to the original url, rather than suffixing /j_spring_cas_security_check. This caused the circular loop to occur without any attempt to validate the ticket.

401 Unauthorized on ajax requests

We have recently moved our webserver to a new machine (IIS based) and in the asp.net mvc application I am working on, I have noticed that in the firebug console each request fails twice with a 401 error before finally succeeding on the 3rd try. This did not happen previously and the application seems to be running slightly slower than before, though that could just be my perception.
What might be causing this issue and what might I be able to do in order to avoid it?
I ran into a similar problem couple weeks back and the below post saved my day...
https://serverfault.com/questions/137073/401-unauthorized-on-server-2008-r2-iis-7-5
I hope this may help you...
Consider trying to check your IIS pool. Or maybe a timeout expiration?

Getting JSESSIONID cookie into standalone BlazeDS app messages

I have a flex app using BlazeDS to talk with a web app using Spring Security. During normal use the user has already logged into the web app before running the flex app, so the browser takes care of passing the JSESSIONID session cookie on the outgoing messages so the web app knows who they're coming from.
However, I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging, which means there's been no previous login and thus no existing session. I put some code in -- just for the purpose of debugging -- to first send a login message. That works, and the JSESSIONID cookie comes with the response, but I don't know how to attach it to the subsequent BlazeDS remoting calls that the app makes.
Is there some sort of channel configuration that does this, or some other method? And if you're going to point me to the BlazeDS/SpringSecurity preauthentication example, I appreciate the thought, but we already have a fairly involved configuration of Spring Security and I don't want to mess with that.
As an aside, I was a bit disconcerted when I tried to follow a suggestion to call login() on the RemoteObject's ChannelSet, only to find that the ChannelSet was null. I don't see how that can be, since the remoting calls work, using -- I can only assume -- the AMF channel defined in the services-config.xml. Anyway, I don't know whether login() works by sending j_username and j_password to /j_spring_security_check anyway, so it might not have been appropriate; and of course I'd still be left with the subject of this query, which is how to use the session once it's been created.
I don't think it'll help to explain anything, but I'll include some code and config snippets...
The login:
<mx:HTTPService id="loginRequest" url="http://fiddler:8080/app/j_spring_security_check" useProxy="false"
method="POST" result="handleLoginResult(event)">
<mx:request xmlns="">
<j_username>username</j_username>
<j_password>password</j_password>
</mx:request>
</mx:HTTPService>
The RemoteObject:
<mx:RemoteObject id="remoteObject" destination="blazebackend">
<mx:method name="getConfigData" result="handleConfigDataResult(event)" fault="handleFault(event)"/>
<mx:method name="addSession" result="handleAddSessionResult(event)" fault="handleFault(event)"/>
</mx:RemoteObject>
A channel:
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="/{context.root}/app/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
TIA.
I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging
Using Eclipse you can debug inside Eclipse IDE when deployed on a localhost or remote server by configuring the "Url or path to use" when starting debugging.
JESSIONID means that you're using Java EE authentication, the login method of the ChannelSet can be used for a custom and or Basic authentication (that can be or not a Java EE authentication), I think the best for you is to deploy on a localhost, or eventually remove security when debugging.

Resources