Shared authentication between two servers - asp.net

I've set up the same site on two servers sitting behind a load balancer. I have the following in my web.config file
<sessionState mode="SQLServer" cookieless="false" allowCustomSqlDatabase="true"
sqlConnectionString="Data Source=server;Initial Catalog=ASPState;Persist Security
Info=True;User ID=user;Password=password" timeout="2880" sqlCommandTimeout="10" />
It appears to be working, I can see the ASPState tables populating when I log in, however I see that if I refresh several times after logging in it goes back and forth between being logged in and not logged in depending on which server I hit. Am I missing something?
I'm using the default webmatrix authentication built into MVC 4.

This ca be because you have different MachineKeys on your servers or the have the default value. And because of this you authentication cookies are encrypted in two different ways.
Try setting the machineKey in your web.config. Here is tool that helps generating the machineKey http://aspnetresources.com/tools/machineKey

As this post explains you will need to have the same Application ID on both servers.
"When you create applications that you expect to share session state using Sql Server, they need the same ID configured in IIS. This is because the session ID that is generated is generated based on the application ID. (Internally the application ID is something like LM/W3SVC/1
The two servers had different IDs for each application in IIS. The resolution is to change the ID under `Manage Website -> Advanced Settings' on each server."
Cheers

Related

Maintaining Session across different domains with Azure Redis Cache Session State Provider

How can i share the same session state across different web apps using Azure Redis Cache Session State Provider?
My Web.configs for both applications are like that:
<sessionState mode="Custom" customProvider="MySessionStateStore">
<providers>
<add name="MySessionStateStore"
type="Microsoft.Web.Redis.RedisSessionStateProvider"
port="6380"
host="[myhostname].redis.cache.windows.net"
accessKey="[mykey]"
throwOnError="true"
applicationName="[mySharedAppName]"
ssl="true" />
</providers>
There are typically two things you need to do:
Set the applicationName attribute to the same string value in the web.config of both apps.
If the apps are in different IIS sites or different servers, you may need to change the cookie scope for the ASP.NET_SessionId cookie that ASP.NET sends to the browser for you behind the scenes. You'll get into trouble if the scope of that session cookie doesn't encompass both apps: the web browsers will use different session cookies and your sessions won't be shared. But if you just have two app directories under the same site then you shouldn't need to think about this.

Two ASP.NET applications hosted in same server. Window.open from one application for other application logs out the first application

I have two ASP.NET applications hosted in our server. In first application (say A), I have a hyperlink to open the second application (say B).
I am using window.open to open B.
window.open(myurl, "mywindow", "menubar=1,scrollbars=yes,resizable=1");
When B is opened, A gets logged out.
I hosted B in another server and opened it from A, now A does not get logged out.
I am pretty sure that it is an issue with session.
I actually need to host both applications in one server. Am I missing any configuration?
Session state and forms authentication are 2 different things, and each one has a separate cookie. Session state has nothing to do with whether or not the user is logged in.
You should be adjusting the Forms Authentication cookie settings if you want each application to have a separate cookie name:
<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
name=".ASPXFORMSAUTH" /> <!-- Change the cookie name here -->
</authentication>

Sharing ASP.NET session info between applications in a single application pool and worker process

Can ASP.NET applications in a common application pool share session information if they are in separate threads in a single worker process? One of my applications is having issues related to not having any of the session information it needs from the other application, but I used Trace.axd to confirm that requests to each application are using the same session identifier.
I resolved the issues we were experiencing by making our applications "cookieless".
I updated the web.config file for the applications as follows:
<!--sessionState mode="InProc" cookieless="false" timeout="30" /-->
<sessionState mode="InProc" cookieless="true" timeout="30" />
If anyone can explain why this works, I would appreciate the education.
Thank you to all who offered suggestions.
ASP.NET session is scoped "within" application if using out-of-the-box session providers, so each application will have its own session even if the session id/key value appears to be the same. But since the requests to each application are using the same session identifier value, you appear to be well set to implement a custom SessionStateStoreProvider that can store/retrieve data using this identifier across both applications.
You could also have a look at Sharing sessions across applications using the ASP.NET Session State Service, but since this approach involves modifying the workings of the stock SQL session store provider, you'd risk spillover effects on other sites/applications.
I thik it could be helpfull Sharing Aspnet Session across different domains there's no other way.
you cannot share a session between different domain.
there's another solution that could be pass all data via querystring to the other domain so it can rebuild the right session values.
Personally i will invite you to use encrypted value to be sure that are not visibile if you will choose GET option.

How to maintain Forms authentication session state between Azure Web Roles?

I have deployed a RIA Services enabled Silverlight Business application on Azure that uses Forms authentication.
To enable Forms authentication on Azure, I have implemented the Table Storage providers from the Azure Toolkit. It almost works, but I have problems with keeping the session state. After I have logged in, and repeatedly presses F5 to refresh the page I switch between being logged in and logged out.
I have two Web Role Instances, and if I disable one of the it works like a charm. But as soon as I enable the second instance it's back to this sporadic behaviour. So clearly the state is not preserved because of the load balancing. Fine, I forgot to implement the Session provider, so I did:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
<providers>
<clear />
<add name="TableStorageSessionStateProvider"
type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageSessionStateProvider"
applicationName="AppAdmin"
/>
</providers>
</sessionState>
Sadly, that didn't help.
Update: The actual table (Session) is created in the Table Storage, but no data is in there.
Any ideas and/or suggestions?
Have you set your machine key in web.config?

Login issues on shared SQLServer session state of web-farm

Per a question I posted yesterday, our website's DNS structure has changed to round-robin DNS which literally swaps back and and forth between two production servers. Our web.config for both prod servers has:
<sessionState mode="SQLServer" ... > pointing to the same shared DB
A machineKey on each server that is consistent between the two (this was the main point of my post yesterday).
[update] The same domain in the <forms domain=".mydomain.com" ... > tag
When we use the login feature on the site, the login actually makes a web service request to a 3rd website that authenticates a user. If the resulting response says it was a successful login, then we use FormsAuthentication to log the user in:
FormsAuthentication.SetAuthCookie(strUserID, true);
Our issue is that on some pages we see we are logged in, others we're not. Is this something indicative of either us not completing a final step to share session between two prod servers or could our SQL server session DB be broken?
Thanks in advance
UPDATE:
Our code to determine if the user is logged in is quite basic:
HttpContext.Current.User.Identity.IsAuthenticated
UPDATE 2:
When I hit prod1.mysite.com (or prod2.mysite.com) I get a cookie called "ASP.NET_SessionId" but when I hit the live public URL, www.mysite.com, I don't get this cookie. Is this part of the problem?
RESOLUTION:
It turns out that everything we did here was all correct and that our live site which uses Akamai was being cached in various states due to Akamai's cache configuration. Sharing your logged in state between servers has been confirmed to work.
One thing you could do is use the Firebug add-on for Firefox to ensure that the authentication cookie is being sent to the browser as expected after logging in although as you are seeing that you are logged in on some pages I would expect this to be the case.
Another thing to check would be that the domain is set correctly for the authentication cookie and that it is valid for all pages on your website.
This is typically set in you web.config in the forms tags, example below and should be same on each server in the web farm.
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="/login.aspx" protection="All" path="/" domain="mydomain.com" timeout="30"/>
</authentication>
If this is all correct then it is possible that session is not being shared correctly between your servers although the settings that your have described in your question appear to cover what is needed.

Resources