I am running an ASP.NET 4.0 application with single sign on using IIS 7.5. I want my session not to be timeout till 365 days and set the value in web.config file. We are using "SQLServer" session mode. I have done the following
1) Set timeout to 365 days in web.config.
2) Set to use SQLServer session mode in web.config.
3) Set the application pool to use session timeout which is given in web.config file.
Even after modifying with these changes we are getting the problem as we are not able to access web server and when we click on any button to refresh, page is getting redirected to single sign on login page means session is getting reset.
How can i resolve this issue?
Related
I am developing ASP.Net MVC application.
We have used sessionState mode SQLServer and i have set timeout to 20 minutes.
<sessionState mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=sa;password=sa"
cookieless="false"
timeout="2" />
Code is something like this in web config.
I have also set login page.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Now when session expires i want to navigate user to login page.
I checked many things but i was unable to understand how it exactly works? and how can i navigate user login page on session expire?
It is working in InProc mode. I used it in same way and user is redirected to login on session expire.
But i am unable to accomplish same thing in SQLServer Mode.
I am unable to understand what i am missing?
I checked Session State and also found that Session timeout handled in SQLServer Mode
Edit :-
I want to redirect user to login page whenever another http request is executed for that session.
Ordinarily the browser has no idea what is going on on the server. Unless an HTTP round trip occurs, it will remember the state of the session from when the page was rendered.
In addition, you session cookie is probably HttpOnly, so there is no way for the page to check for the presence of a session cookie.
One way to accomplish what you want is:
Add a hidden iFrame to your page. Set the SRC of the iFrame to a handler in your web site
The handler doesn't have to do much except return a 200 OK, plus a refresh header set to a few seconds, so that the handler gets continually polled.
context.Response.AddHeader("REFRESH", "2");
Add framebreaker code to your login page
if (top.location != location) {
top.location.href = document.location.href ;
}
When a request for the handler occurs with an expired session, it'll get redirected to the login page via forms authentication; when the login page is returned, it'll break your iFrame and redirect the full window to the login page.
Or, you can do what everyone else does, which is wait for the user to request another page.
For me, changing the timeout value in the web.config file to anything didn't take place, and the reason was there were somehow some leftover old records in the ASPStateTempSessions table in ASPState database. I had to empty the table and only then my web.config changes took place. I wasted an hour trying to search for the cause so hope this helps someone.
So, run this:
delete from ASPStateTempSessions
Difference between InProc and SQLServer mode is that SQLServer relies on MSSQL job to remove the session. It actively doesn't prevent you from login again.
See Session State Providers
SqlSessionStateStore doesn't actively monitor the Expires field. Instead, it relies on an external agent to scavenge the database and delete expired sessions—sessions whose Expires field holds a date and time less than the current date and time. The ASPState database includes a SQL Server Agent job that periodically (by default, every 60 seconds) calls the stored procedure DeleteExpiredSessions to remove expired sessions.
In my web application, i often can see, that when i am not doing anything for a few minutes, and then i come back, and refresh the page - i am still being logged in, but my session data is all gone!
On the login() action i am setting up few Session[] objects that are necessary for a page to work correctly. I have no idea why is it doing so, but i need it to log user out whenever it clears his session data.
I have read about setting <sessionState mode="InProc" timeout="20"/> but will this timeout refresh everytime i refresh the page? Or will it run out after 20 minutes from the time i logged in? What if i make this timer bigger than i have on keeping the user online?
Posting back to the server will keep the session alive for longer. It's a sliding expiration. There are two ways to handle from the client, which the client is not aware of this 20 minute timeout:
Create a timer using client javascript that redirects to the logout page when 20 minutes is hit
Whenever a postback happens, check if the session expired (which can be done in a variety of ways, such as checking Session.IsNewSession, see if your objects are lost, etc.) and then redirect to the logout handler before processing the request.
I assume you are using Forms Authentication. Is that correct? If so, you need to have your Forms Authentication ticket's timeout match the Session timeout.
The user stays logged in through a process that is more complicated than it first seems. A cookie is stored in the user's browser that is called the Forms Authentication Ticket. If the user stays idle past the session timeout limit, the server will discard the session. But on the next request, the Forms Authentication Ticket is passed back to the web server. The server validates the ticket, and if it is still valid, the user is logged back in.
As you can see, the user's session is not restored. If you want that behavior, you would have to detect that condition and restore the session yourself.
The solution is to set the Forms Authentication Ticket's timeout to be the same as the Session timeout. You accomplish that in your Web.config file, as explained here:
<system.web>
<authentication mode="Forms">
<forms timeout="20"/>
</authentication>
</system.web>
The timeout value is in minutes. Once the Forms Authentication Ticket's timeout is hit, the user will be logged out. This operates independent from the session's timeout, but if they are the same, they will expire at roughly the same time. If you want to be completely safe, set the Forms Authentication Ticket timeout to be a little shorter than the session timeout. The user will be logged out before their session times out. When they log in again, they will get a new session. The old session will eventually time out on its own.
Try checking this:
Q: In Proc mode, why do I lose all my session occasionally?
A: Please see the "Robustness" section in the "Understanding session
state modes" section of of this article.
Robustness
InProc - Session state will be lost if the worker process
(aspnet_wp.exe) recycles, or if the appdomain restarts. It's because
session state is stored in the memory space of an appdomain. The
restart can be caused by the modification of certain config files such
as web.config and machine.config, or any change in the \bin directory
(such as new DLL after you've recompiled the application using VS) For
details, see KB324772. In v1, there is also a bug that will cause
worker process to restart. It's fixed in SP2 and in v1.1. See
KB321792.
Source - http://forums.asp.net/t/7504.aspx/1
I have an ASP.NET 2.0 web site hosted on Windows Server 2008 with IIS 7. I am using InProc session mode (specified in web.config). My client wants the timeout to be of 3 hours, meaning if the web site is idle, session should remain alive for 3 hours. Currently, what is happening is that if the web site is idle for 20-30 min. and if the user to tries to access any link, it redirects to login page.
I searched on internet and did all the possible settings (as follows):
In web config, session state, time out = 180 minutes.
In web config, forms authentication, time out = 180 minutes.
In IIS 7, Site->Features View->Session state - Session State Mode Setting: In Proc and Cookie Setting->Time out = 180 minutes
In IIs 7, Site->Features View->ASP->Services->Session Properties->Time out = 03:00:00 hours
In IIS 7, Application Pools->Site->Advanced Setting->Process Model->Idle Time-out = 180 minutes.
Even after doing all these settings, timeout has not increased and still if the web site is idle for 20-30 mins. and user tries to access the link, it redirects to login page.
Additional Information:
Whenever it redirects to login page after idle of 20-30 mins., and if I check the event log on server, it says something like (I am not sure whether this error is related to this particular issue or not):
"Forms authentication failed for request. Reason: The ticket supplied has expired"
How does your code issue the authentication ticket once users log in? The documentation says that the expiration attribute will overwrite whatever you set in the web.config - that might be the issue.
If the ticket is generated manually by
using the FormsAuthenticationTicket
class, the time-out can be set through
the Expiration attribute. This value
will override the timeout attribute
value specified in configuration
files.
Our code relies on checking the Context.User.Identity value in the Global.asax Application_AuthenticateRequest(...) method to retrieve some information about the logged in user. This works fine in classic mode but when I flip IIS to use the Integrated Pipeline "Context.User" comes back as null, but only intermittently. Any ideas why?
I have < authentication mode="Windows"> and only Windows Auth enabled in the Virtual Directory.
Integrated mode means that the pipeline events of ASP.NET run at the same time as the IIS pipeline, what it means is that:
1) In Classic Mode - AuthenticateRequest in ASP.NET runs way after IIS already did the authentication (using Windows auth maybe or basic, etc) and so you will get the User Identity set to it.
2) In IntegratedMode - AuthenticateRequest will run at the "same time" in both which will cause it to have a null there. You should consider using PostAuthenticateRequest if you want to reliably get a User Identity (of course provided you have an authentication module enabled)
I have a really strange problem to do with session variables.
I have an asp.net page that sets a few session variables. On my development machine (localhost), I do a postback and the session values are still populated.
When I Reload the page by clicking on the url bar and pressing enter the session variables are still there.
However when i deploy this page to a webserver, the page still retains the session values when doing a postback, but as soon as i click the url and press enter the session values are lost (where the ispostback = false)
But when i press the refresh button the session variables are present (but i do get a popup warning me that the page data needs to be resent!)
i am running IE 7, and the webserver is iis6 what am i doing wrong?!
please help x
What session state provider are you using? The default is InProc, whereby sessions are stored in the asp.net worker process. This means session state can be lost if the application pool is recycled or the webserver is low on memory. You could try using StateServer mode, whereby sessions are stored in a separate service running on the server. You can change the mode in web.config eg.
<system.web>
<sessionState mode="StateServer" />
</system.web>
See http://support.microsoft.com/kb/307598
Sounds like the webserver is not configured to use session state.
Make sure your web.config has the correct <sessionState> section, with the mode being InProc:
<sessionState mode="InProc" />