FOLLOW UP : Forms Authentication Randomly Times Out (Windows 2003)

Discussion in 'ASP .Net Security' started by Pete, Dec 5, 2003.

  1. Pete

    Pete Guest

    Hi,
    I didn't get any responses from the first post I made about this so I've
    done a bit more investigation but I'm still having problems (but only in
    Production (Win 2003) not development (XP Pro)). This leads me to think it's
    a server config issue rather than code problem. Anyway here's the
    problem....hope you can help.

    My logged on users are randomly kicked out of my secure pages well before
    the auth cookie expires. The persist cookie is working as I can see it
    stored in the browser cache. Apparently their Forms Authenicated session has
    expired however & there seems to be no pattern as to when it expires.

    The standard user "Session" appears to be fine and lasts for the configured
    length in Web.Config.

    Here's what I've tried....

    Changing the Forms Cookie name & Timeout.
    Checking all code (it works exactly as expected on my XP Pro box)
    Asked hosting provider if they broke it (said they didn't)

    Is it possible that a setting in Machine.Config could be causing me these
    issues? If so what section would it be?

    Any ideas at all would be appreciated as I'm really stuck with this and my
    users are not so happy.


    thanks for looking

    Pete
     
    Pete, Dec 5, 2003
    #1
    1. Advertising

  2. Pete

    Joe Audette Guest

    I'm also seeing some evidence that when this occurs, that
    Context.User is not an object, the problem seems to be
    random and momentary, that is a few seconds later
    Context.User is resolved as an object if the user tries
    the page again.


    To clarify, we are also using forms authentication.

    >-----Original Message-----
    >Hi,
    >I didn't get any responses from the first post I made

    about this so I've
    >done a bit more investigation but I'm still having

    problems (but only in
    >Production (Win 2003) not development (XP Pro)). This

    leads me to think it's
    >a server config issue rather than code problem. Anyway

    here's the
    >problem....hope you can help.
    >
    >My logged on users are randomly kicked out of my secure

    pages well before
    >the auth cookie expires. The persist cookie is working

    as I can see it
    >stored in the browser cache. Apparently their Forms

    Authenicated session has
    >expired however & there seems to be no pattern as to

    when it expires.
    >
    >The standard user "Session" appears to be fine and lasts

    for the configured
    >length in Web.Config.
    >
    >Here's what I've tried....
    >
    >Changing the Forms Cookie name & Timeout.
    >Checking all code (it works exactly as expected on my XP

    Pro box)
    >Asked hosting provider if they broke it (said they

    didn't)
    >
    >Is it possible that a setting in Machine.Config could be

    causing me these
    >issues? If so what section would it be?
    >
    >Any ideas at all would be appreciated as I'm really

    stuck with this and my
    >users are not so happy.
    >
    >
    >thanks for looking
    >
    >Pete
    >
    >
    >
    >
    >
    >.
    >
     
    Joe Audette, Dec 9, 2003
    #2
    1. Advertising

  3. Pete

    Pete Guest

    Hi Joe,

    Thanks for the reply. I've tested and I don't seem to be able to resume a
    session again after being redirected back to the logon page.

    I've tried pretty much everything, the only thing could be........has your
    server got the Microsoft Security patch " Q813380"
    http://support.microsoft.com/?kbid=813380 installed? I seemed to have these
    problems after this patch was applied (can't be 100% sure though). Although
    it doesn't sound like it should affect anything I guess anything is
    possible. If you do have this patch could you let me know and I'll then try
    applying to my XP dev box here to see if the issue can be replicated.

    thanks

    Pete



    "Joe Audette" <> wrote in message
    news:0fee01c3be76$a9841590$...
    > I am having the same apparent problem using framework 1.1
    > on win2k server. User's randomly get sent to the login
    > page when they are not logged out. Although they get sent
    > to the login page they are not really logged out, if they
    > click a link to the page they were on they get right back
    > in without logging in again. You might check and see if
    > your situation is the same, that is are they truly logged
    > out or just directed to the login page.
    >
    > Best Regards,
    >
    > Joe Audette
    > >-----Original Message-----
    > >Hi,
    > >I didn't get any responses from the first post I made

    > about this so I've
    > >done a bit more investigation but I'm still having

    > problems (but only in
    > >Production (Win 2003) not development (XP Pro)). This

    > leads me to think it's
    > >a server config issue rather than code problem. Anyway

    > here's the
    > >problem....hope you can help.
    > >
    > >My logged on users are randomly kicked out of my secure

    > pages well before
    > >the auth cookie expires. The persist cookie is working

    > as I can see it
    > >stored in the browser cache. Apparently their Forms

    > Authenicated session has
    > >expired however & there seems to be no pattern as to

    > when it expires.
    > >
    > >The standard user "Session" appears to be fine and lasts

    > for the configured
    > >length in Web.Config.
    > >
    > >Here's what I've tried....
    > >
    > >Changing the Forms Cookie name & Timeout.
    > >Checking all code (it works exactly as expected on my XP

    > Pro box)
    > >Asked hosting provider if they broke it (said they

    > didn't)
    > >
    > >Is it possible that a setting in Machine.Config could be

    > causing me these
    > >issues? If so what section would it be?
    > >
    > >Any ideas at all would be appreciated as I'm really

    > stuck with this and my
    > >users are not so happy.
    > >
    > >
    > >thanks for looking
    > >
    > >Pete
    > >
    > >
    > >
    > >
    > >
    > >.
    > >
     
    Pete, Dec 10, 2003
    #3
  4. Pete

    Joe Audette Guest

    It doesn't look like we have that patch on our server.
    We're not using FrontPage extensions. I'll be interested
    to hear if you ever find a fix. I was not able to so I
    had to scrap the automatic re-direction to login from the
    web.config files and code my own checks and re-direction.
    The difference with the login may be because we are using
    win2k server, but the problem started suddenly after
    running a long time with no problems. Its like the server
    loses the session state context intermittently.
    I've been trapping errors where references to
    Context.User results in a not an instance of an object
    error, but then just a fraction of a second later in my
    exception handler I'm able to determine who the user is
    by Context.User
    Weird!!! I wish the Microsoft guys would respond to this
    but I guess they won't until it affects more users.

    Best Regards,

    Joe
    >-----Original Message-----
    >Hi Joe,
    >
    >Thanks for the reply. I've tested and I don't seem to be

    able to resume a
    >session again after being redirected back to the logon

    page.
    >
    >I've tried pretty much everything, the only thing could

    be........has your
    >server got the Microsoft Security patch " Q813380"
    >http://support.microsoft.com/?kbid=813380 installed? I

    seemed to have these
    >problems after this patch was applied (can't be 100%

    sure though). Although
    >it doesn't sound like it should affect anything I guess

    anything is
    >possible. If you do have this patch could you let me

    know and I'll then try
    >applying to my XP dev box here to see if the issue can

    be replicated.
    >
    >thanks
    >
    >Pete
    >
    >
    >
    >"Joe Audette" <> wrote in

    message
    >news:0fee01c3be76$a9841590$...
    >> I am having the same apparent problem using framework

    1.1
    >> on win2k server. User's randomly get sent to the login
    >> page when they are not logged out. Although they get

    sent
    >> to the login page they are not really logged out, if

    they
    >> click a link to the page they were on they get right

    back
    >> in without logging in again. You might check and see if
    >> your situation is the same, that is are they truly

    logged
    >> out or just directed to the login page.
    >>
    >> Best Regards,
    >>
    >> Joe Audette
    >> >-----Original Message-----
    >> >Hi,
    >> >I didn't get any responses from the first post I made

    >> about this so I've
    >> >done a bit more investigation but I'm still having

    >> problems (but only in
    >> >Production (Win 2003) not development (XP Pro)). This

    >> leads me to think it's
    >> >a server config issue rather than code problem. Anyway

    >> here's the
    >> >problem....hope you can help.
    >> >
    >> >My logged on users are randomly kicked out of my

    secure
    >> pages well before
    >> >the auth cookie expires. The persist cookie is working

    >> as I can see it
    >> >stored in the browser cache. Apparently their Forms

    >> Authenicated session has
    >> >expired however & there seems to be no pattern as to

    >> when it expires.
    >> >
    >> >The standard user "Session" appears to be fine and

    lasts
    >> for the configured
    >> >length in Web.Config.
    >> >
    >> >Here's what I've tried....
    >> >
    >> >Changing the Forms Cookie name & Timeout.
    >> >Checking all code (it works exactly as expected on my

    XP
    >> Pro box)
    >> >Asked hosting provider if they broke it (said they

    >> didn't)
    >> >
    >> >Is it possible that a setting in Machine.Config could

    be
    >> causing me these
    >> >issues? If so what section would it be?
    >> >
    >> >Any ideas at all would be appreciated as I'm really

    >> stuck with this and my
    >> >users are not so happy.
    >> >
    >> >
    >> >thanks for looking
    >> >
    >> >Pete
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
     
    Joe Audette, Dec 10, 2003
    #4
  5. Pete

    Pete Guest

    Well there goes my theory on the patch.

    My site was same, worked flawlessly for months then all of a sudden I get
    this issue.
    Strangly it is still ok on my XP box so I know it's not code. I still want
    ot use the built
    in Forms authentication rather than code my own but if Microsoft can't help
    out (hint hint)
    then I might have to rewite it all.

    One other thing I did notice last night was that I could re-establish a
    session after closing the browser and re-opening again. I guess this just
    shows that the cookie has been persisted correctly and can still
    authenticate the user. Unfortunatley I still got a random timeout a few
    minutes later......

    Another option I was thinking of was moving hosting provider, could be just
    a way my host has configured something, but I'm not 100% sure.

    I'll let you know if this ever gets sorted, but I'm not holding my breath as
    it's been the best part of a month now.

    Microsoft please help us........

    regards

    Pete

    --
    Cheers

    Pete

    XBOX Live Leagues & Tournaments
    http://www.xboxracing.net/
    "Joe Audette" <> wrote in message
    news:1153501c3bf69$73e059a0$...
    > It doesn't look like we have that patch on our server.
    > We're not using FrontPage extensions. I'll be interested
    > to hear if you ever find a fix. I was not able to so I
    > had to scrap the automatic re-direction to login from the
    > web.config files and code my own checks and re-direction.
    > The difference with the login may be because we are using
    > win2k server, but the problem started suddenly after
    > running a long time with no problems. Its like the server
    > loses the session state context intermittently.
    > I've been trapping errors where references to
    > Context.User results in a not an instance of an object
    > error, but then just a fraction of a second later in my
    > exception handler I'm able to determine who the user is
    > by Context.User
    > Weird!!! I wish the Microsoft guys would respond to this
    > but I guess they won't until it affects more users.
    >
    > Best Regards,
    >
    > Joe
    > >-----Original Message-----
    > >Hi Joe,
    > >
    > >Thanks for the reply. I've tested and I don't seem to be

    > able to resume a
    > >session again after being redirected back to the logon

    > page.
    > >
    > >I've tried pretty much everything, the only thing could

    > be........has your
    > >server got the Microsoft Security patch " Q813380"
    > >http://support.microsoft.com/?kbid=813380 installed? I

    > seemed to have these
    > >problems after this patch was applied (can't be 100%

    > sure though). Although
    > >it doesn't sound like it should affect anything I guess

    > anything is
    > >possible. If you do have this patch could you let me

    > know and I'll then try
    > >applying to my XP dev box here to see if the issue can

    > be replicated.
    > >
    > >thanks
    > >
    > >Pete
    > >
    > >
    > >
    > >"Joe Audette" <> wrote in

    > message
    > >news:0fee01c3be76$a9841590$...
    > >> I am having the same apparent problem using framework

    > 1.1
    > >> on win2k server. User's randomly get sent to the login
    > >> page when they are not logged out. Although they get

    > sent
    > >> to the login page they are not really logged out, if

    > they
    > >> click a link to the page they were on they get right

    > back
    > >> in without logging in again. You might check and see if
    > >> your situation is the same, that is are they truly

    > logged
    > >> out or just directed to the login page.
    > >>
    > >> Best Regards,
    > >>
    > >> Joe Audette
    > >> >-----Original Message-----
    > >> >Hi,
    > >> >I didn't get any responses from the first post I made
    > >> about this so I've
    > >> >done a bit more investigation but I'm still having
    > >> problems (but only in
    > >> >Production (Win 2003) not development (XP Pro)). This
    > >> leads me to think it's
    > >> >a server config issue rather than code problem. Anyway
    > >> here's the
    > >> >problem....hope you can help.
    > >> >
    > >> >My logged on users are randomly kicked out of my

    > secure
    > >> pages well before
    > >> >the auth cookie expires. The persist cookie is working
    > >> as I can see it
    > >> >stored in the browser cache. Apparently their Forms
    > >> Authenicated session has
    > >> >expired however & there seems to be no pattern as to
    > >> when it expires.
    > >> >
    > >> >The standard user "Session" appears to be fine and

    > lasts
    > >> for the configured
    > >> >length in Web.Config.
    > >> >
    > >> >Here's what I've tried....
    > >> >
    > >> >Changing the Forms Cookie name & Timeout.
    > >> >Checking all code (it works exactly as expected on my

    > XP
    > >> Pro box)
    > >> >Asked hosting provider if they broke it (said they
    > >> didn't)
    > >> >
    > >> >Is it possible that a setting in Machine.Config could

    > be
    > >> causing me these
    > >> >issues? If so what section would it be?
    > >> >
    > >> >Any ideas at all would be appreciated as I'm really
    > >> stuck with this and my
    > >> >users are not so happy.
    > >> >
    > >> >
    > >> >thanks for looking
    > >> >
    > >> >Pete
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >.
    > >> >

    > >
    > >
    > >.
    > >
     
    Pete, Dec 11, 2003
    #5
  6. Pete

    Brian Scott Guest

    Not much to add beyond what has been said, just want to add my comapny
    as one affected by this. We are seeing the same problem recently
    after the application ran fine for a number of months. The server is
    Win2k and we are using Forms Authentication. There sems to be no
    pattern to the users being redirected to the login page. I'll have
    them test the next time if they are indeed logged out or just
    redirected.



    "Joe Audette" <> wrote in message news:<027f01c3be79$52504b60$>...
    > I'm also seeing some evidence that when this occurs, that
    > Context.User is not an object, the problem seems to be
    > random and momentary, that is a few seconds later
    > Context.User is resolved as an object if the user tries
    > the page again.
    >
    >
    > To clarify, we are also using forms authentication.
    >
     
    Brian Scott, Dec 16, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pete
    Replies:
    1
    Views:
    470
  2. Eric
    Replies:
    2
    Views:
    1,497
    Tommy
    Feb 13, 2004
  3. =?Utf-8?B?bWF2cmlja18xMDE=?=

    Forms Authentication Fails some times and not some times???

    =?Utf-8?B?bWF2cmlja18xMDE=?=, Mar 28, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    495
    =?Utf-8?B?bWF2cmlja18xMDE=?=
    Mar 28, 2006
  4. Eric
    Replies:
    2
    Views:
    559
  5. Lars-Erik

    Windows authentication times out (?)

    Lars-Erik, Oct 22, 2009, in forum: ASP .Net Security
    Replies:
    0
    Views:
    784
    Lars-Erik
    Oct 22, 2009
Loading...

Share This Page