ASP.NET Users being kicked out Randomly

**james.fuentez** · Mar 17, 2011 12:30

We are getting problem were users being kick out of the form and navigates to Login page even if the session has not timed out yet. very frustrating to the users...

It doesn't happen all the time and not to all users. It looks like the Authentication Ticket is somewhat not valid but intermittently.

Is this a common problem with ASP.net forms Authentication???

Anybody can help resolve this problem.

**Serenarules** · Mar 17, 2011 12:36

Actually, the ticket may in fact be expiring. Have you actually tracked one to see if it is being renewed correctly? Here's a link to an example of how to get at the ticket, test for sliding expirations, and renewing it.

http://abadjimarinov.net/blog/2010/0...spdotNET.xhtml

**webcosmo** · Mar 17, 2011 12:41

you should check the authentication token and session both. if either is not set properly logout.

depending on your settings, your session could be alive lot longer then the authentication ticket or vice versa.

you could consider using sliding expiration for auth tokens along with DB session storage if you wanna give user long period of active time.

**james.fuentez** · Mar 17, 2011 13:04

Originally Posted by webcosmo

you should check the authentication token and session both. if either is not set properly logout.

depending on your settings, your session could be alive lot longer then the authentication ticket or vice versa.

you could consider using sliding expiration for auth tokens along with DB session storage if you wanna give user long period of active time.

What do you mean by authentication token? Some users complained that they are even active for less than 5 mins...

Anyway, here's whats in the web config.

Code:

<authentication mode="Forms">
			<forms loginUrl="logon.aspx" protection="All" name="authCookie" timeout="60" path="/">
			</forms>
		</authentication>

I will try to add slidingExpiration="true" and see if we will still get some complains althought we have implemented keepalive in the basepage.

HTML Code:

<div style="display:none">
    <iframe id="frmKeepAlive" width="1px" height="1px" frameborder="0" src="//xxxxx.net/xxxxx/keepalive.htm">
    </iframe>
</div>

where the keepalive.htm reloads every 5 mins. So before even the session expires. Server knows that the user is still active.

I will also change the timeout to 60 and see if this will make any difference.

HTML Code:

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>

Thank you guys for all your reply...

**honeymonster** · Mar 17, 2011 13:13

Check the eventlog to see if your app recycles for some reason. If there's a serious resource leak IIS may recycle the app pool to release memory. IIRC it is by default set to recycle if IIS uses more than 60% of RAM.

**james.fuentez** · Mar 17, 2011 13:23

Originally Posted by honeymonster

Check the eventlog to see if your app recycles for some reason. If there's a serious resource leak IIS may recycle the app pool to release memory. IIRC it is by default set to recycle if IIS uses more than 60% of RAM.

Yes, eventlog doesn't show any recycling of IIS. Otherwise all of them will be kicked out. Only some users are experiencing this... and some of them after just logging in.

Is there any known issue of Anti -Virus in the client side corrupting the Auth Ticket???

**Serenarules** · Mar 17, 2011 13:28

I am "almost" positive that <authentication><forms timeout="value"> is in seconds, but I could be wrong. I usually use 3600 for one hour.

**james.fuentez** · Mar 17, 2011 13:34

Originally Posted by Serenarules

Actually, the ticket may in fact be expiring. Have you actually tracked one to see if it is being renewed correctly? Here's a link to an example of how to get at the ticket, test for sliding expirations, and renewing it.

Renew User in the same Request in asp.net while using forms authentication with cookies

This makes sense to me... renewing the Authorization Ticket...I will give this a rip!

Code:

.
.
.
if (authTicket != null && !authTicket.Expired)
    {
      FormsAuthenticationTicket newAuthTicket = authTicket;

      if (FormsAuthentication.SlidingExpiration)
      {
        newAuthTicket = FormsAuthentication.RenewTicketIfOld(authTicket);
      }
      string userData = newAuthTicket.UserData;
      string[] roles = userData.Split(',');

      System.Web.HttpContext.Current.User =
        new System.Security.Principal.GenericPrincipal(new FormsIdentity(newAuthTicket), roles);
    }

**verschha** · Mar 17, 2011 14:29

Originally Posted by Serenarules

I am "almost" positive that <authentication><forms timeout="value"> is in seconds, but I could be wrong. I usually use 3600 for one hour.

Yes, you're wrong, it is in Minutes:

FormsAuthenticationConfiguration.Timeout Property (System.Web.Configuration)

**verschha** · Mar 17, 2011 14:49

Originally Posted by james.fuentez

Yes, eventlog doesn't show any recycling of IIS.

Are you sure about that? Because the behavior you're experiencing sounds to me that the application recycles! Do you have a machine key in your web.config? If not, you really should create one:

Online tool to create keys for view state validation and encryption

The machinekey is used to encrypt/decrypt the authentication tickets. When no machinekey is specified, ASP.NET will generate one. But when the application recycles, ASP.NET will generate a new one, resulting in the behavior your telling. Because the existing tickets are encrypted using the previous key, with the new key they cannot be decrypted anymore so ASP.NET will force you to login again. Specifying a machine key will solve this

**Serenarules** · Mar 17, 2011 17:19

Originally Posted by verschha

yes, you're wrong, it is in minutes:

formsauthenticationconfiguration.timeout property (system.web.configuration)

doh! =)

User Tag List

Thread: ASP.NET Users being kicked out Randomly

Thread Tools

Display

ASP.NET Users being kicked out Randomly

Bookmarks

Bookmarks

Posting Permissions