SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Zealot davejuk's Avatar
    Join Date
    Apr 2006
    Location
    UK
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Forms Authentication kicking users out

    I am using Forms Authentication in my ASP.NET 2.0 web app running on Windows Server 2003.

    I am getting a steady flow of users complaining that they are being kicked out and asked to log in again after using the site for a short while.

    I guess this is some idle time-out set somewhere but it's happening very quickly in some cases, after about 10 minutes.

    This is obviously very frustrating for users when they are losing their progress on a form.

    In my web.config I have the "timeout" attribute of <forms> within <authentication> set to 30 so this is not likely to be the issue. All of the users I have spoken to are sure they hadn't been using it for 30 minutes before they were kicked out.

    What other variables could it be? Or is it possible it's a bug in my code? It's happened on a range of different pages within my application.

  2. #2
    Chopped Liver bronze trophy imaginekitty's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    1,494
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by davejuk View Post
    ... All of the users I have spoken to are sure they hadn't been using it for 30 minutes before they were kicked out. ...
    Of course not. The users never make mistakes. What have your tests shown?

    What do you have slidingExpiration set to?

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Well, sliding expiration helps. But I'd suspect your application is getting recycled, which will invalidate the forms authentication ticket. How much control do you have of the server?

  4. #4
    SitePoint Evangelist
    Join Date
    Apr 2008
    Location
    Dublin, Ireland
    Posts
    461
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it the session timeout which defaults to 20 minutes? There may be issues with having no timeout but you can configure session through sql server which if memory serves never times out - http://support.microsoft.com/kb/317604.

    I have long given up telling users about the risks of walking away logged into an application. They want to go for lunch, come back and continue filling in a form. This was the only way to keep them happy.

  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    FormsAuthentication does not care about sessions.

    As for the long lunch issue, we have a little AJAX heartbeat control that handles this nicely. It held someone logged into an app and in the same session for 3 weeks straight once. Without them touching the computer.

  6. #6
    SitePoint Evangelist
    Join Date
    Apr 2008
    Location
    Dublin, Ireland
    Posts
    461
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by wwb_99 View Post
    FormsAuthentication does not care about sessions.

    As for the long lunch issue, we have a little AJAX heartbeat control that handles this nicely. It held someone logged into an app and in the same session for 3 weeks straight once. Without them touching the computer.
    Yeah I forgot I use a custom login solution that uses session.

  7. #7
    SitePoint Mentor NightStalker-DNS's Avatar
    Join Date
    Jul 2004
    Location
    Cape Town, South Africa
    Posts
    2,880
    Mentioned
    48 Post(s)
    Tagged
    0 Thread(s)
    Also just make sure you dnt have any code in the global.asax file in the Session_End method like FormsAuthentication.SignOut(). If that is the case, when your sessions expire after however long, it will destroy the users cookie.

    And what code are you using to log the user in?

  8. #8
    SitePoint Zealot davejuk's Avatar
    Join Date
    Apr 2006
    Location
    UK
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies.

    NAWA-mark: I only have a few users, most of whom I know quite well. I trust that they can guestimate half an hour!

    NightStalker-DNS:
    I don't do anything on Session_End in my global.asax

    wwb_99: Not being particularly experienced with forms auth, that was the first thing I checked. It's hosted on a Windows 2003 VPS which I have full control over. The application pool only handles this one site. I previously unchecked the 3 recycle boxes and ticked the maximum used memory box and set it to 256MB. I've never seen it eat up that much memory.

    Here's a relevant snippet from my web.config. I added the sessionState section during this round of troubleshooting. They haven't reported it again since so there's a slim chance that resolved it, although it's only been a couple of days.

    Code XML:
    <sessionState
               mode="InProc"
               cookieless="false"
               timeout="60"
        />
     
        <authentication mode="Forms">
          <forms name="wwauth" 
          loginUrl="/Login.aspx" 
          defaultUrl="/my-account/" 
          protection="All" 
          timeout="60"
          slidingExpiration="true"
          path="/" />
        </authentication>

  9. #9
    SitePoint Mentor NightStalker-DNS's Avatar
    Join Date
    Jul 2004
    Location
    Cape Town, South Africa
    Posts
    2,880
    Mentioned
    48 Post(s)
    Tagged
    0 Thread(s)
    Try setting your cookie as persistent to expire in say 1 hour or something. When i get to work in the morning il post some syntax if you need it.

  10. #10
    SitePoint Zealot davejuk's Avatar
    Join Date
    Apr 2006
    Location
    UK
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is still an ongoing issue for me.

    If I log in, then go into IIS and recycle the process, I can continue to browse around logged in as if nothing happened. Should this behaviour be expected?

    If so, it's clearly nothing to do with the process being recycled.

  11. #11
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try configuring the Machine Key.
    You can use this key generator

  12. #12
    SitePoint Zealot davejuk's Avatar
    Join Date
    Apr 2006
    Location
    UK
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excuse my ignorance but how does that help me?

    Are you suggesting that the ViewState is somehow becoming corrupted?

    Thanks.

  13. #13
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The same key is used to encrypt the authentication ticket. If for somewhat reason that key changes, the tickets will be invalidated. My first guess was also the recycling problem but if you say it wasn't that, then this is the only thing I could think of that might be a possible solution.

  14. #14
    SitePoint Mentor NightStalker-DNS's Avatar
    Join Date
    Jul 2004
    Location
    Cape Town, South Africa
    Posts
    2,880
    Mentioned
    48 Post(s)
    Tagged
    0 Thread(s)
    If the user is getting logged out and ur using forms authentication, recycling will do nothing as the authentication is a cookie, doesnt matter about server. But if your sessions are ending prematurely i also would have thought it be recycling.

    Just for interest sake, have you tried using a StateServer instead of InProc?

    Give that a shot and see if it helps at all

  15. #15
    SitePoint Zealot davejuk's Avatar
    Join Date
    Apr 2006
    Location
    UK
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    NightStalker-DNS: Good shout about StateServer. I'll report back if/when it happens again.

    praetor: Although it's not happening that often, it is happening too often for me to believe that it's caused by corruption.

  16. #16
    SitePoint Member
    Join Date
    Mar 2011
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    davejuk,

    Have you resolved this issue? We are also getting the same problem and its very frustrating. It doesn't happen all the time. It looks like the Authentication Ticket is somewhat not valid but intermittently. Is this a common problem with ASP.net forms Authentication???

    Anybody can help resolve this problem.

    thanks,


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •