We have as SAAS application that runs for multiple customers at the same time. All customers use the same application, and by checking the URL used to access the application, users are redirected to the correct data for the organization.
Underwater, every organization has their own database. To make sure that users don't accidentally end up in the wrong database, we want to impersonate the request being executed to a user that only has access to the correct database. We used to do this and this worked beautifully on IIS in classic mode.
However, in integrated pipeline mode, we run into a threading issue. We use an HTTP module to impersonate the request to the correct user in the "PreRequestHandlerExecute" event. The problem that (apparently) there is no guarantee that this method is executed in the same thread as the handler that actually processes the request. This causes the impersonation to sometimes not work because the thread processing the request is not impersonated.
I've created a test project in GitHub (https://github.com/PaulVrugt/ImpersonationExample/tree/master/ImpersonationTest) demonstrating the issue (apologies for the vb.net, but you'll get the idea). When you run the example connected to an IIS using integrated pipeline mode, you'll see that sometimes the impersonated user is not used, and each time it is not used, the managedthreadid of the thread processing the request is different from the thread used in the httpmodule.
Now that I understand why it "sometimes" doesn't work, I begin to suspect I'm going about this all wrong. Is there a way to achieve what I am trying to do?
We've already tried to impersonate in the prerequesthandler in the global.asax, but that results in the same issue.
I have a problem that appears while using concurrent users in IIS/.Net 3.5.
I am logged in using two users to the same server (user1, user2), both are using different computers. If I press on a link to one page using user1 and immediately on the same link to the same page using user2, I receive the sent page to user1 on both computers.
It seems that IIS is caching the requests and sending it to both computers even though that both are logged in using different accounts.
This never happens if you wait a bit before doing that. Is there any specific IIS configuration that caches those requests? How can I link it to per account instead to all? At worst case, how can I disable it?
Any tips are highly appreciated.
ASP.NET has a configurable/extensible output caching mechanism.
You can configure/disable the stock page output caching in web.config, or write your own custom output cache provider and refer to that in web.config.
There's information about it here.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
We have a web application through which customers access information. It has been reported by many customers that they are logged out within 5 minutes of no activity. I believe this should only occur after the default 20 minute idle timeout, and this is the case when accessing the web app from inside our domain.
I also spent a few days troubleshooting an error in which some of the user's session data was lost between post backs about 60% of the time, causing an application error since the next page needed the data. The only resolution was a work-around in which I use an additional mechanism for caching the data between postbacks and pull the data from that cache if the session data is gone.
I have also noted that some websites that I visit which require logon credentials will also kick me out between postbacks. For example, a website for a school I take classes at requires logon credentials to their portal. At home I never have any issue, but if I access it from my work domain I often get random errors indicating that my credentials have been lost (i.e. "Unauthorized access is not permitted" after logging in and browsing to a page).
Combing the web for ideas has led me down a few paths, but most address the IIS worker process and ASP.NET and have not helped me.
Does anyone have any ideas or suggestions about how to resolve this?
this is not because of the programming problem...this is because of your host capacity...as you know session are a type of memory that is create for each user when they access to your website and it's terminated when they finish visiting...so in this case I suppose the number of site visitors has risen up,so by default when the memory become full, it kicks one session out and causes all these problems...I think the best thing to do is calling where you get your host services and ask for a service that cover sites needs
You just store your session value in to cookie so you can access that value when session terminate.. or you can use global file to manage session state..
I have an asp .net webforms app that uses forms authentication. For a small number of users we have a problem where they log in, they navigate to a couple of pages and then they are asked to log in again. Once logged in for a second time they seem to be able to stay logged in as expected. They shouldn't be asked to login the second time.
This is a single server, no web farms, nothing tricky.
This only happens to a few users, but it does seem to be all users from the same building. I am unable to replicate this and at this point might even start to deny that t was happening if one of our trainers hadn't watched it happen to a couple of customers.
Has anyone else seen anything like this?
I am also seeing a lot of "Membership credential verification failed." errors in the event log. This may be related, but all the googling I've done seems to point to web farms and the like, not a single server.
UPDATE
There is no proxy server, the IIS server and the browser (IE8) are both on the same machine.
The AV software installed is Symantec Endpoint, on one machine, on the other the user didn't have any AV at all (AV Fail!).
The browser is IE 8 with no frills, not a single addin that didn't come with the default installation.
Both session and user login time-outs are set to 30 mins and the problem happens within 1 min of the user logging on.
Logging shows the user to only have one IP address.
I have tried the sessionMode in all it's variations, this doesn't seem to make any difference.
Something has to be causing ASP.NET to think these users have new sessions or their authentication cookie is getting invalidated. Here a a few things I can think to check:
Are the users accessing the site through a proxy server? One of our customers has a proxy that will sometimes close all open connections causing ASP.NET to see the session as new.
Could an overly agressive anti-virus, anti-spyware product be "eating" the session authentication cookie?
Do they have a cookie manager browser add-in that is causing the authentication cookie to disappear or change?
Sounds basic but I've seen this happen because of site timeouts being set too short. If the user sits on the page for longer than the timeout, they will be forced to logon again. And this could be specific to a page when that page presents a large amount of data that takes a while for them to go through.
One other thing I just thought of, have you allowed multiple worker processes for the ASP.NET process (aka web gardens)? If so, the same constraints as with a web farm would apply for authentication.
Crack open Fiddler from the problem user's PC and see what's getting passed in the headers. My bet is on a proxy server and or networking issue.
Are the users possibly coming from a dynamic ip address? I've seen problems where the users sessions get messed up because the IP address that they're accessing the site from changes for some reason.
Are the people this is happening using a browser that's somehow different (different browser, different version, different extensions)? That could be a clue.
In general, when the problem is somewhat reproducible or at least predictable, I use Http Fiddler. Install it on a client machine, turn it on, and start browsing (this works via a system proxy - so it'll work for firefox, IE and any other proxy-supporting browsers alike). Fiddler will record all http traffic between client and server, and you can then peruse such a session later on to find any oddities.
It's a long shot, but one thing I've seen happen occasionally that can lead to these sorts of unpredictable errors is scripting parallelization issues: sometimes buttons + links have onclick handlers which cause a post-back. If you have several such handlers that fire on the same event - in particular when the default event still fires additionally to your custom onclick or whatnot - you may be causing several postbacks when it appears to be just a single postback. That can cause all kinds of unpredictable weirdness as it's not entirely clear which request ends up "winning" - and some odd errors may cause a session to terminate. Since this behaviour is very browser + network latency sensitive, it seems quite unpredictable when it occurs.
Delete the cookie on the client PC's that are playing up
ASP.NET Forms Authentication can redirect users to the login page if they do not have the credentials to access a specific page. It does this so that users who may have more than one login are given the opportunity to login with another account which may have the appropriate access. Basic question I know, but are the users using the same credentials the second time they log in?
Its possible that you have don't have specifically specified asp.net to use cookie based session but are allowing either cookie or cookieless sessions.
In the later case the session id is embedded in the Url. The type of issues you are experiences might be explained by that. Basically depending on how you define your links, some of them would not get the session id, so the user would get a new session when using those links - or maybe during a redirect. That could explain why at specific parts of your site the users loose their session.
If you have the mixed mode enabled, try setting it to only cookieless and go through your site.
Update: Based on the extra info posted there is surely more info needed for it. Some extra things to check:
Are you using subdomains, if that's the case the cookie might not be configured to allow that and that doesn't fail in all environments.
If you are using in-process session, make sure there isn't a bug in the application causing it to restart the process
Maybe what's causing it to ask for login again is an authorization check, and you have an issue on some roles related code
Is it possible that the user is just opening a separate window? ;)
To rule out the possibility of the browser or a browser addon messing things up, have you checked their User Agent strings? If they are randomly distributed it might not cause the problem, but if they're all the same, this might be a hint too.