Authentication cookie not working after aplication pool reloads - asp.net

I use Form Based Authentication in my site
In my login page I have:
FormsAuthentication.SetAuthCookie(user.userName, true)
When I want to check if the user is authenticated I do:
HttpContext.Current.User.Identity.IsAuthenticated
I'm not using Asp.net Membership, instead i use my on SQL-DB verification
do i have to use Asp.net Membership ?
This is working for me most of the times
The problem is that sometimes after 5 hours or something after 30 hours
The Application pool gets restarted for some reason (I’m on a shared server)
And after that the “User.Identity.IsAuthenticated” returns with false, every time until the user logs in again.
This is strange to me because I can see that the client still have the persistent authCookie so why the user is not authenticated ?
My Web.Config reference:
<authentication mode="Forms">
<forms
name="AuthCookie"
loginUrl="~/mySite/ManageLogin.aspx"
timeout="5256000"/>
</authentication>
Any help will be appreciated.
My site www.mentallica.co.il

This may be due to the automatic generation of the machinekey at the application start. You can prevent that by specifying a machinekey for your app in your web.config:
<machineKey
validationKey="410E4E2B06BE457709F2D8C72BB02957A3B4E8BA327F3A6103696857AD3A88598D454489B9D4CAAFC2D5E35E8795B311EE2E94DAA485FD64D7184272A4AE4D8B"
decryptionKey="EFAFA0917D0D8F137F05B26AE053397C48D34DE688E73483D15C8EDAF0D6FD4F"
validation="SHA1"
decryption="AES" />
You shouldn't use this one - you may create your own easily at http://aspnetresources.com/tools/machineKey .
More information about machinekeys: http://msdn.microsoft.com/en-us/library/ff649308.aspx

Related

RedirectFromLoginPage() does not issue auth cookie for base domain

Say I have 2 sites and want to implement SSO between them. They are hosted at site1.localhost and site2.localhost. From what I've read so far I only needed the following in my web.config:
<authentication mode="Forms">
<forms loginUrl="/Login.aspx" domain=".localhost" path="/" />
<machineKey .../>
</authentication>
However, the following call does not issue authentication cookie at all:
FormsAuthentication.RedirectFromLoginPage(InputEmail.Text, true);
If I remove domain attribute from forms element the cookie is perfectly issued for site1.localhost domain. What am I missing?
p.s.
Windows 7 x64, ASP.NET 4.0, integrated pipeline, no extra modules/handlers
Update:
The following call returns a cookie with proper domain set (.localhost):
HttpCookie httpCookie = FormsAuthentication.GetAuthCookie(InputEmail.Text, true )
How is that possible?
Cookies need at least a 2 part domain name. If your sites were site1.local.domain & site2.local.domain, then you could issue a cookie for .local.domain. You cannot issue a cookie for .localhost

Sessions and auth in asp.net

While deveoping a site (using Forms authentication and InProc sessionstate) a frequently run into a scenario where I lose the variables stored in Session (such as Session["myVar"]), but my auth-session remains valid.
This results in some wierd behavior on my site.
Why is this happening and what can I do to prevent diffrent lifecycles for my auth and my session variables?
In Asp.Net a Session and "Being logged in" are not the same thing.
Both are (usually) controlled by cookies, but the cookies are separate.
To control how long a Session is kept alive, please see answer by Jonas T.
To control how long a user remains logged in, you can use the timeOut on the <forms ... /> element:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="120" slidingExpiration="true"/>
</authentication>
...
</system.web>
To get rid of your problem you should make sure that the session timeout is at least as long as the forms authentication timeout.
If you are allowing persisted cookies in forms authentication ("Remember me"), then there are no gurantees. In that case you just have to set the session timeout to "long enough" according to some criteria/specification.
Edit: Also check the settings on your application pool (under IIS) where the site is deployed. And specifically check what the "Idle Time-out" is. If this is set low (default value is 20 minutes I think), then IIS will shut down the application pool if no request have come in during that time. That (of course) terminates whatever in-proc sessions existed.
Forms Authentication stores its ticket in Cookie at client side or URL(if cookie is disabled).
Session variables are stored at server side with expired time. If you want your variable to be more persistent use cookie.
You can extend your session time out in web config. This is for 20 minutes.
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
You said that you are working with ASP.NET Form authentication/authorization then I'd suggest you to use Profile instead of Session state.

ASP.Net MVC: Session duration?

Due to the complex business logic, I had to implement myself the authentication. I'm storing the authentication with:
FormsAuthentication.SetAuthCookie(identifier,false);
The False is to indicate that we don't want to have persistent cookie
I've to also store in session some informations(one information that the user has to enter to login, indicating for which set of data he wants to access).
I'm storing those data through model binder.
It's working fine most of the time. But sometime after an inactivity period, we are still logged but we don't have any data in session.
I would like that the duration of my session is the same than the login session, to avoid this kind of "I'm logged but I've lost some data in the session".
I don't need/want to have a persistent connection.
How should I proceed to have this system?
I believe the FormsAuthentication uses its own timeout. You can configure your web.config accordingly:
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="50" />
</system.web>
In fact, There was a Session timeout by default in the IIS Application pool, so, to avoid this problem:
Go on IIS Manager
Go on the ServerName/Application Pools tab
Right click on the concerned application pool
Click on Advanced Settings,
In the section "Process Model", put an higher value in the "Idle Time-out"(this is in minutes
Click on OK
Restart the application pool
For me, this + the Yannis config(setting the same value for the form timeout+session state timeout) worked.

Forms Auth premature cookie expiration

I'm having trouble with a site that just went to production. For some reason, although the settings seem to be correct for a 15 minutes session timeout, users are reporting that in about 5 minutes they have to log in again.
What can I check? how can I troubleshoot this? I can't reproduce it locally, or in our QA environment. Are there IIS settings I could check? browser settings on the client?
below is my web.config entry for the authentication. Thanks!
<authentication mode="Forms">
<forms loginUrl="~/admin/Login" cookieless="UseCookies" requireSSL="false" timeout="15" slidingExpiration="true" name="{C8226EAB-2423-45ce-8A1D-3BC227F1BEE9}"/>
</authentication>
You'll need to add a machine key to your web.config file. It' getting autogenerated with each app pool recycle and causing your auth ticket cookie values to fail.
This is similar to the following question:
figuring out why asp.net authentication ticket is expiring
Well I think that you need also to set the settings of domain name. Do not set www.yourdomain.com, because this way if a user get on yourdomain.com is get diferent cookie.
Set it to root name with our the www: yourdomain.com
<authentication mode="Forms">
<forms
path="/"
domain="yourdoman.com" // <- maybe this key is the reason
/>
</authentication>
Make suer the session is set to at least 15 minutes as well in IIS Manager.

Session timeout in ASP.NET

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following
Set <sessionState timeout="60"></sessionState>
in web.config.
Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings.
Set idle timeout to 60 minutes in application pool properties/performance.
I am still getting a session timeout at 20 minutes. Is there anything else I need to do?
Are you using Forms authentication?
Forms authentication uses it own value for timeout (30 min. by default). A forms authentication timeout will send the user to the login page with the session still active. This may look like the behavior your app gives when session times out making it easy to confuse one with the other.
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="60" />
</system.web>
Setting the forms timeout to something less than the session timeout can give the user a window in which to log back in without losing any session data.
I don't know about web.config or IIS.
But I believe that from C# code you can do it like
Session.Timeout = 60; // 60 is number of minutes
Use the following code block in your web.config file.
Here default session time out is 80 mins.
<system.web>
<sessionState mode="InProc" cookieless="false" timeout="80" />
</system.web>
Use the following link for Session Timeout with popup alert message.
Session Timeout Example
FYI:The above examples is done with devexpress popup control so you need to customize/replace devexpress popup control with normal popup control. If your using devexpress no need to customize
In my situation, it was Application Pool. It is set to restart when idle for xx mins. When I set it to not restart, it seems to use value from Web Config.
Do you have anything in machine.config that might be taking effect? Setting the session timeout in web.config should override any settings in IIS or machine.config, however, if you have a web.config file somewhere in a subfolder in your application, that setting will override the one in the root of your application.
Also, if I remember correctly, the timeout in IIS only affects .asp pages, not .aspx. Are you sure your session code in web.config is correct? It should look something like:
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
stateNetworkTimeout="60"
sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
cookieless="false"
timeout="60"
/>
That is usually all that you need to do...
Are you sure that after 20 minutes, the reason that the session is being lost is from being idle though...
There are many reasons as to why the session might be cleared. You can enable event logging for IIS and can then use the event viewer to see reasons why the session was cleared...you might find that it is for other reasons perhaps?
You can also read the documentation for event messages and the associated table of events.
https://usefulaspandcsharp.wordpress.com/tag/session-timeout/
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />
</authentication>
<sessionState mode="InProc" timeout="60" />
If you are using Authentication, I recommend adding the following in web.config file.
In my case, users are redirected to the login page upon timing out:
<authentication mode="Forms">
<forms defaultUrl="Login.aspx" timeout="120"/>
</authentication>
Since ASP.Net core 1.0 (vNext or whatever name is used for it) sessions are implemented differently.
I changed the session timeout value in Startup.cs, void ConfigureServices using:
services.AddSession(options => options.IdleTimeout = TimeSpan.FromSeconds(42));
Or if you want to use the appsettings.json file, you can do something like:
// Appsettings.json
"SessionOptions": {
"IdleTimeout": "00:30:00"
}
// Startup.cs
services.AddSession(options => options.IdleTimeout = TimeSpan.Parse(Config.GetSection("SessionOptions")["IdleTimeout"]));
You can find the setting here in IIS:
It can be found at the server level, web site level, or app level under "ASP".
I think you can set it at the web.config level here. Please confirm this for yourself.
<configuration>
<system.web>
<!-- Session Timeout in Minutes (Also in Global.asax) -->
<sessionState timeout="1440"/>
</system.web>
</configuration>
The default session timeout is defined into IIS to 20 minutes
Follow the procedures below for each site hosted on the IIS 8.5 web
Open the IIS 8.5 Manager.
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration
editor, locate "system.web/sessionState".
Set the "timeout" to "00:20:00 or less”, using the lowest value
possible depending upon the application. Acceptable values are 5
minutes for high-value applications, 10 minutes for medium-value
applications, and 20 minutes for low-value applications.
In the "Actions" pane, click "Apply".
IIS sessions timeout value is for classic .asp applications only, this is controlled on IIS configuration.
In your case For ASP.NET apps, only the web.config-specified timeout value applies.
if you are want session timeout for website than remove
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
tag from web.config file.
The Timeout property specifies the time-out period assigned to the Session object for the application, in minutes. If the user does not refresh or request a page within the time-out period, the session ends.
IIS 6.0: The minimum allowed value is 1 minute and the maximum is
1440 minutes.
Session.Timeout = 600;
After changing the session timeout value in IIS, Kindly restart the IIS.
To achieve this go to command prompt. Type IISRESET and press enter.

Resources