I have a website in production server, asp.net webforms using Asp.Net Identity system.
Sometimes, when users tries to login, it redirects then back to login page after successful authentication thereby denying them access to user dashboard and other secured pages.
The temporary solution to this is for me to Recycle Application Pools in the hosting server (via plesk). But it appears again after some time. Sometimes before 24hrs or more.
The issue most often occurs when multiple users are getting logged in at a range of time... From my observation.
I don't know the main cause of the issue and I'm seeking a permanent fix to it. What could be the issue? How can I resolve this?
Useful hint:
After authentication at the login page, I usually create a response cookie which holds other value which I use to keep track of the user. If the cookie expires, I redirect the user back to login. I usually check for existence of this cookie on the master page for each page load. So I don't know if this could be a possible cause. If it is, whats the best practice to employ?
I've tried checking the cookies being set if it's the possible challenge, but no success.
Related
I have a web application built using asp.net mvc. I'm using the standard build in authentication - asp.net Identity (SignInManager & application cookie), although I've hooked this to MySQL back end.
As expected, when the user leaves my web application but returns to it in time before their session expires they can access the authorized pages on the site and when the session expires they are redirected to the log in page.
My question is, is it possible to force them to log in every time they return to the site after leaving it? The scenario being, they closed their browser or navigated away from the site all together.
Appreciate the help guys!
You need to "issue" the authentication cookie as "session" cookie. Session cookies disappear when all instances of the same-brand/same-mode browser is closed. By "same-mode" I mean incognito and non-incognito.
Keeping in mind your scenario, you can use following method.
FormsAuthentication.SetAuthCookie("YourCookieValue", false); //second aurgument is persistent
you can set the persistent value to false so whenever a user closes his/her browser he/she will be logged out.
I have a webforms asp.net page that displays search results. I would like to store the search results in session until the user performs a new search. User can search on the website even if unauthenticated. I have two web servers behind the F5 load balancer. The load balancer maintains sticky session irrespective of web app authentication.
So my question is, am I doing anything wrong in this process. should I not be storing search results in session if the user is not logged in. Is there anything wrong with this approach.
I am building a website with asp.net and c# 3.5.
The problem is User Session gets cleared between requests. Not all sessions, just that user session is renewed suddenly when a new request or postback occurs.
I am using IIS7 and Win2008 R2. I Checked and found out that no recycling happens, WorkerProcess is set to 1, Website is not restarted. Just a user session is renewed and gets new sessionId. not all Sessions, just a user session is renewed.
It is A very strange problem, I searched the web and couldn't find the solution
If you have any clue?
I think i found my problem, The problem name is "canonical domain". Users enter the site without www in start of its url, but between request ( especially in Respone.Redirect("~") or when i redirect user to payment gateway and when it returns back ), the url turns to a url with www. So the cookies renew and that user session lost in this point.
Canonical domain can be solved with IIS7 Url Rewrite module, in SEO -> Canonical domain name.
We have an internal web app running on IIS6 and we use the integrated windows authentication for domain users to login to the app before they can use it.
What we would like to do is redirect the user to an error page if they fail to login to the domain 3 times.
Where should i be looking to configure this? My first thought was in IIS, but i don't see anything in the config there that relates to what i'm looking to do.
How are the users authenticating? If they are using IE then domain authentication should be automatic (ie. the server does an NTLM challenge to the browser which is handled automatically by IE if the web server is in the intranet zone). In this case it would not be possible to fail to log in if the user is a member of the domain.
If you are using a login form which then then verifies the credentials against the domain controller, then you can implement a custom solution which counts the invalid logins and does a Response.Redirect to an error page.
Without knowing more about the setup it is difficult to answer more fully...
Personally, I'd make this database driven. assuming the user enters the username credentials correctly but fails to enter the correct password. When they do login correctly, set their FailLoginCount to 0, and eachtime they fail, increase it by one.
Once it reaches 3, redirect them to your desired page and possible "lock" their account.
HTH
Suppose I have logged into an web application. I'm on the page Default.aspx. If iis restarts then I need to re-login to use the application.
Is it possible to go back to the same page if IIS restarts?
How are you authenticating your users? Using forms authentication stores a client side cookie which can survive IIS resetting. Are you storing any authentication information in session state perhaps?
Edit
Just to add you can also redirect a user to a different page from the login page. Take the following url http://example.com/Login.aspx?ReturnUrl=%2fDefault.aspx.
This URL can be used to redirect the user to the Default.aspx page after they login. Assuming your using Forms authentication you can then redirect them using FormsAuthentication.RedirectFromLoginPage(userName, false); The false parameter prevents a persistant cookie from being created.
If you mean the ASP.Net application domain recycles, you're issue is that you're losing session state data, right? If that's the case, then how about storing session data in the StateServer or inside SQL Server? The default is "in process", so it's wiped clean when the app domain recycles.
If you set a cookie on each page the user vists stating which page they were on, then in your OnLoggedIn event you can check for the existance of this cookie, and redirect the user to the page - we use a similar mechanism for round-robin logins to multiple domains at once.