FOLLOW UP : Forms Authentication Randomly Times Out (Windows 2003)

[Pete]

Hi,
I didn't get any responses from the first post I made about this so I've
done a bit more investigation but I'm still having problems (but only in
Production (Win 2003) not development (XP Pro)). This leads me to think it's
a server config issue rather than code problem. Anyway here's the
problem....hope you can help.

My logged on users are randomly kicked out of my secure pages well before
the auth cookie expires. The persist cookie is working as I can see it
stored in the browser cache. Apparently their Forms Authenicated session has
expired however & there seems to be no pattern as to when it expires.

The standard user "Session" appears to be fine and lasts for the configured
length in Web.Config.

Here's what I've tried....

Changing the Forms Cookie name & Timeout.
Checking all code (it works exactly as expected on my XP Pro box)
Asked hosting provider if they broke it (said they didn't)

Is it possible that a setting in Machine.Config could be causing me these
issues? If so what section would it be?

Any ideas at all would be appreciated as I'm really stuck with this and my
users are not so happy.


thanks for looking

Pete

 

[Joe Audette]

I'm also seeing some evidence that when this occurs, that
Context.User is not an object, the problem seems to be
random and momentary, that is a few seconds later
Context.User is resolved as an object if the user tries
the page again.


To clarify, we are also using forms authentication.

 

[Pete]

Hi Joe,

Thanks for the reply. I've tested and I don't seem to be able to resume a
session again after being redirected back to the logon page.

I've tried pretty much everything, the only thing could be........has your
server got the Microsoft Security patch " Q813380"
http://support.microsoft.com/?kbid=813380 installed? I seemed to have these
problems after this patch was applied (can't be 100% sure though). Although
it doesn't sound like it should affect anything I guess anything is
possible. If you do have this patch could you let me know and I'll then try
applying to my XP dev box here to see if the issue can be replicated.

thanks

Pete

 

[Joe Audette]

It doesn't look like we have that patch on our server.
We're not using FrontPage extensions. I'll be interested
to hear if you ever find a fix. I was not able to so I
had to scrap the automatic re-direction to login from the
web.config files and code my own checks and re-direction.
The difference with the login may be because we are using
win2k server, but the problem started suddenly after
running a long time with no problems. Its like the server
loses the session state context intermittently.
I've been trapping errors where references to
Context.User results in a not an instance of an object
error, but then just a fraction of a second later in my
exception handler I'm able to determine who the user is
by Context.User
Weird!!! I wish the Microsoft guys would respond to this
but I guess they won't until it affects more users.

Best Regards,

Joe

 

[Pete]

Well there goes my theory on the patch.

My site was same, worked flawlessly for months then all of a sudden I get
this issue.
Strangly it is still ok on my XP box so I know it's not code. I still want
ot use the built
in Forms authentication rather than code my own but if Microsoft can't help
out (hint hint)
then I might have to rewite it all.

One other thing I did notice last night was that I could re-establish a
session after closing the browser and re-opening again. I guess this just
shows that the cookie has been persisted correctly and can still
authenticate the user. Unfortunatley I still got a random timeout a few
minutes later......

Another option I was thinking of was moving hosting provider, could be just
a way my host has configured something, but I'm not 100% sure.

I'll let you know if this ever gets sorted, but I'm not holding my breath as
it's been the best part of a month now.

Microsoft please help us........

regards

Pete

--
Cheers

Pete

XBOX Live Leagues & Tournaments
http://www.xboxracing.net/

 

[Brian Scott]

Not much to add beyond what has been said, just want to add my comapny
as one affected by this. We are seeing the same problem recently
after the application ran fine for a number of months. The server is
Win2k and we are using Forms Authentication. There sems to be no
pattern to the users being redirected to the login page. I'll have
them test the next time if they are indeed logged out or just
redirected.