I have to use SQL Server to store session data and forms auth for logging in. Something weird is going on where the session is ending and I lose all session data but the forms auth isn't kicking them to the login page. Here is my web config set up for this:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" path="/" protection="All"
defaultUrl="Default.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<sessionState mode="SQLServer" customProvider="AppFabricCacheSessionStoreProvider"
sqlConnectionString="" timeout="30" allowCustomSqlDatabase="true">
<providers>
<!-- specify the named cache for session data -->
<add name="AppFabricCacheSessionStoreProvider"
type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider"
cacheName="dev-advisorlynx" sharedId="OrionShared"/>
</providers>
</sessionState>
Forms auth is managed by the forms authentication cookie. Session state is managed by the ASP.NET_SessionID cookie. You could be losing one and not the other.
Check the cookie traffic using HTTP watch or by checking the IIS logs. They may be scoped differently for whatever reason (e.g. they may have a different domain or path, or one of them may be expiring).
Related
I have the below in my web config file on a forms authenticated web site, but it does not allow a user to navigate to that page unless they login.
<configuration>
<connectionStrings>
<remove name="******"/>
<add name="*******" *******"/>
<add name="*****" *******"/>
</connectionStrings>
<location path="About.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
ASP.net web forms 4 site. NOTE *** hide original data
Your Question it not clear .But again Enable From Authentication by adding this line
<system.web>
<!--Session state Time Out-->
<sessionState timeout="60" />
<!--My authontication module-->
<authentication mode="Forms">
<forms name="PROJECTNAME.ASPXAUTH" loginUrl="~/Login.aspx" protection="All" path="/" timeout="60"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
and It will secure the web application.If you want to access any particular folder then create a folder and add Web.config file.and in web.cofig file
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<!--Defualt access grant sa=11,admin=12-->
<allow roles="admin"/>
<!--Order and case are important below-->
<deny users="*"/>
</authorization>
</system.web>
</configuration>
prevent access of users of role other than admin
and create role by
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
Convert.ToString(user.UserID), // Username associated with ticket
DateTime.Now, // Date/time issued
DateTime.Now.AddMinutes(60), // Date/time to expire
false, // "true" for a persistent user cookie
Convert.ToString(user.RoleID), // User-data, in this case the roles
FormsAuthentication.FormsCookiePath);// Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
I'm using "Forms" authentication in asp.net 4, with a fixed time before make the session expire.
I need to call a method that use some variables in Session just before logging out, but I am not able to handle the case when the user's session is expired (it just redirect me to the login page). For example, I would like to log something like "User session is expired!". Moreover, I need some info stored in Session.
I tried to use the Session_end method, but it seems that session expiration "event" does not trigger this function.
The configuration in web.config is:
<sessionState
mode="InProc"
cookieless="false"
timeout="70"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="1" />
</authentication>
<anonymousIdentification enabled="false" />
<authorization>
<deny users="?" />
</authorization>
The 1-second delay for expiration is for debug purpose.
Is it possible to do what I need to?
Many thanks
Think this may have already been answered.
Calling a method on Session Timeout?
Apologies if this is different.
I would like to use State Server for sessionState.
This works fine for all session variables but not for authentication. What must I do to store authentication in State Server so I can use a farm of Webservers? My web.config looks like..
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="20" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" cookieless="false" timeout="20" />
<machineKey validationKey="F2FCB9C6C8F045A198D4885C6E...
I'm unclear about what you mean by "store authentication in State Server".
Authentication Is never stored in session variables, and it's a poor practice to do so. Authentication is stored on the users local computer in the form of an encrypted cookie (either non-persistent or persistent), and therefore is inherently immune to any webfarm issues so long as your machinekey is specified in common on all servers.
Session and FormsAuthentication are to different systems in .NET.
Session in asp.net is not expiring on expected time. Below is my part of web.config file for session configuration. Here i want to expire my session in 2 minutes and redirect the user to login page for test purpose. Here session expires about 6 to 7 minutes later.
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" />
</authentication>
</system.web>
Thanks.
Make sure you have disabled sliding expiration:
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" slidingExpiration="false" />
</authentication>
</system.web>
Now no matter whether you are sending requests to the application during the period, the forms authentication cookie won't be renewed.
I have an ASP.NET MVC application using forms authentication. Here's the line of code where I create the auth token:
FormsAuthentication.SetAuthCookie(username, true);
My web.config contains:
<system.web>
<machineKey validationKey="{unique key}" decryptionKey="{unique key}" validation="SHA1" decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="~/account/" timeout="2880" />
</authentication>
...
</system.web>
<location path="my">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Despite the parameter for the persistent cookie being set to true, my users get logged out after a few days of inactivity.
The app is deployed to AppHarbor, but I experienced the same behavior when it was hosted on a dedicated server.
What am I missing that would cause users to get logged out sporadically?
Your timeout is set to 2880 minutes, which is 48 hours?
timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
http://msdn.microsoft.com/en-us/library/ff647070.aspx