Problem with Forms Authentication cookies

Discussion in 'ASP .Net Security' started by Scott, Oct 15, 2003.

  1. Scott

    Scott Guest

    Hi,

    We're having an issue with Forms Authentication cookies being treated as
    expired / invalid, and being deleted. This is causing our intranet users a
    great deal of pain

    - Running IIS 5.0 on Win2k Server
    - Forms Authentication is setup with a timeout value of 45 minutes in
    web.config
    - Session timeout is set to 45 minutes in web.config

    In viewing the IIS logs, we an see a request for an aspx page (a POST) with
    a response of 302. The log shows the cookies sent in with the request -
    only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
    which we named CSSAuth.

    The next request coming is is a GET request for the Forms Authentication
    login aspx page. The query string contains the url of the originally
    requested page. In this request there is only one cookie - the
    ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.

    In looking at the logs for NORMAL expired authentication redirects these
    requests always contain the CSSAuth cookie, even though it is ezpired. In
    the cases where users get redirected to login prior to authentication
    timeout, the cookie is missing from the GET request issued in response to
    the redirect.

    Why is this authentication ticket cookie seen as invalid prior to timeout?
    Why is this cookie being removed? What piece of code is responsible for
    doing all this?

    Scott L.
     
    Scott, Oct 15, 2003
    #1
    1. Advertising

  2. Scott

    Rajesh.V Guest

    We had the same problem, after lot of hunting, we found, running Antivirus
    software causes the web.config, global.asax or the dll to be touched. The
    causes the workerprocess to recycle and u loose all session. And this
    happens randomly, and sessions dont last beyond 3 mins.

    The best solution is using out of process session management. That is in an
    sql server.

    "Scott" <> wrote in message
    news:...
    > Hi,
    >
    > We're having an issue with Forms Authentication cookies being treated as
    > expired / invalid, and being deleted. This is causing our intranet users a
    > great deal of pain
    >
    > - Running IIS 5.0 on Win2k Server
    > - Forms Authentication is setup with a timeout value of 45 minutes in
    > web.config
    > - Session timeout is set to 45 minutes in web.config
    >
    > In viewing the IIS logs, we an see a request for an aspx page (a POST)

    with
    > a response of 302. The log shows the cookies sent in with the request -
    > only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
    > which we named CSSAuth.
    >
    > The next request coming is is a GET request for the Forms Authentication
    > login aspx page. The query string contains the url of the originally
    > requested page. In this request there is only one cookie - the
    > ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
    >
    > In looking at the logs for NORMAL expired authentication redirects these
    > requests always contain the CSSAuth cookie, even though it is ezpired.

    In
    > the cases where users get redirected to login prior to authentication
    > timeout, the cookie is missing from the GET request issued in response to
    > the redirect.
    >
    > Why is this authentication ticket cookie seen as invalid prior to timeout?
    > Why is this cookie being removed? What piece of code is responsible for
    > doing all this?
    >
    > Scott L.
    >
    >
     
    Rajesh.V, Oct 16, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott
    Replies:
    1
    Views:
    2,544
    Rajesh.V
    Oct 16, 2003
  2. Joey Powell
    Replies:
    4
    Views:
    5,033
    Joey Powell
    Dec 26, 2003
  3. Eric
    Replies:
    2
    Views:
    1,525
    Tommy
    Feb 13, 2004
  4. _Who
    Replies:
    7
    Views:
    2,721
  5. Eric
    Replies:
    2
    Views:
    595
Loading...

Share This Page