I would like to use State Server for sessionState.
This works fine for all session variables but not for authentication. What must I do to store authentication in State Server so I can use a farm of Webservers? My web.config looks like..
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="20" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" cookieless="false" timeout="20" />
<machineKey validationKey="F2FCB9C6C8F045A198D4885C6E...
I'm unclear about what you mean by "store authentication in State Server".
Authentication Is never stored in session variables, and it's a poor practice to do so. Authentication is stored on the users local computer in the form of an encrypted cookie (either non-persistent or persistent), and therefore is inherently immune to any webfarm issues so long as your machinekey is specified in common on all servers.
Session and FormsAuthentication are to different systems in .NET.
Related
I want to log a user into an ASP.NET MVC site, and the session expires very quickly, in minutes.
Authentication is done in one line of code:
authProvider.Authenticate(model.UserName, model.Password)
Then I have in Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" name=".ASPXAUTH" timeout="300" slidingExpiration="true">
and the setting on the IIS on the server for 300 minutes.
What is the problem?
Make sure you have a sessionState timeout value that matches your forms timeout:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login"
name=".ASPXAUTH"
timeout="300"
slidingExpiration="true" />
</authentication>
<sessionState timeout="300" mode="InProc" />
</system.web>
You also need to change the Idle Time-out parameter of your Application Pool to the desired authentification timeout to avoid the Application Pool to recycle too soon and therefore lose your sessions.
This parameter can be found in:
IIS - Application Pools - Advanced Settings of the Application Pool in question.
References:
Configure Idle Time-out Settings for an Application Pool
IIS7 Application Pool Idle Time-out Settings
If you don't want to change this parameter(*), a solution is to use the StateServer mode of the Session State. This mode uses a service to store the session instead of the memory with In-Process mode. It has the advantage of not losing the session when the Application Pool is recycled. It's also very easy to configure:
<system.web>
<sessionState mode="StateServer"
stateConnectionString="tcpip=loopback:42424"
cookieless="false"
timeout="300" />
</system.web>
(*) 5 minutes is very low. The default is 20 minutes. So I advice to set it to at least the default value if using the StateServer mode.
Reference:
Session-State Modes
I'm using "Forms" authentication in asp.net 4, with a fixed time before make the session expire.
I need to call a method that use some variables in Session just before logging out, but I am not able to handle the case when the user's session is expired (it just redirect me to the login page). For example, I would like to log something like "User session is expired!". Moreover, I need some info stored in Session.
I tried to use the Session_end method, but it seems that session expiration "event" does not trigger this function.
The configuration in web.config is:
<sessionState
mode="InProc"
cookieless="false"
timeout="70"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="1" />
</authentication>
<anonymousIdentification enabled="false" />
<authorization>
<deny users="?" />
</authorization>
The 1-second delay for expiration is for debug purpose.
Is it possible to do what I need to?
Many thanks
Think this may have already been answered.
Calling a method on Session Timeout?
Apologies if this is different.
I have to use SQL Server to store session data and forms auth for logging in. Something weird is going on where the session is ending and I lose all session data but the forms auth isn't kicking them to the login page. Here is my web config set up for this:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" path="/" protection="All"
defaultUrl="Default.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<sessionState mode="SQLServer" customProvider="AppFabricCacheSessionStoreProvider"
sqlConnectionString="" timeout="30" allowCustomSqlDatabase="true">
<providers>
<!-- specify the named cache for session data -->
<add name="AppFabricCacheSessionStoreProvider"
type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider"
cacheName="dev-advisorlynx" sharedId="OrionShared"/>
</providers>
</sessionState>
Forms auth is managed by the forms authentication cookie. Session state is managed by the ASP.NET_SessionID cookie. You could be losing one and not the other.
Check the cookie traffic using HTTP watch or by checking the IIS logs. They may be scoped differently for whatever reason (e.g. they may have a different domain or path, or one of them may be expiring).
Session in asp.net is not expiring on expected time. Below is my part of web.config file for session configuration. Here i want to expire my session in 2 minutes and redirect the user to login page for test purpose. Here session expires about 6 to 7 minutes later.
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" />
</authentication>
</system.web>
Thanks.
Make sure you have disabled sliding expiration:
<system.web>
<sessionState mode="InProc" timeout="2" />
<authentication mode="Forms">
<forms loginUrl="/Home/Login" timeout="2" slidingExpiration="false" />
</authentication>
</system.web>
Now no matter whether you are sending requests to the application during the period, the forms authentication cookie won't be renewed.
I have an ASP.NET MVC application using forms authentication. Here's the line of code where I create the auth token:
FormsAuthentication.SetAuthCookie(username, true);
My web.config contains:
<system.web>
<machineKey validationKey="{unique key}" decryptionKey="{unique key}" validation="SHA1" decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="~/account/" timeout="2880" />
</authentication>
...
</system.web>
<location path="my">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Despite the parameter for the persistent cookie being set to true, my users get logged out after a few days of inactivity.
The app is deployed to AppHarbor, but I experienced the same behavior when it was hosted on a dedicated server.
What am I missing that would cause users to get logged out sporadically?
Your timeout is set to 2880 minutes, which is 48 hours?
timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
http://msdn.microsoft.com/en-us/library/ff647070.aspx