Forms authentication BIG issue

[Guest]

Hello,
I have an application that is using forms authentication and it seems to
be working fine most of the time. Unfortunatelly, it sometimes just redirects
me to the login screen. It seems that the session timed out. But I login
again and do the same action, it redirects me AGAIN to the login page:

1. I login to the app now.
2. I hit some* "server side" link button or button (or any other object that
raises a server side event).
3. The app takes me to the login screen. (Just as if the session had timed
out)
4. I login again to the app.
5. I immediatelly hit on the same "server side" object.
6. I get redirected to the login page again.

* by saying some, I mean that it is a random part of the application. Today
may be on link "A" and tomorrow on button "B"

The whole process can take me as little as few seconds. I can even try to
use a different computer, different user (even different countries!!) and the
problem will be the same.

But if we try later:

7. I login to the application in few hours.
8. I hit on the very same "server side" object.
9. It works perfectly!!!!!
10. I continue to work with the app and in some* other place, I get
redirected to the login screen.

* by saying some, I mean that it is a random part of the application. Today
may be on link "A" and tomorrow on button "B"

I have modified the authentication cookie to be persistant or not, to have
a longer time out period, I have modified the sessionState and the
authentication tags in the web.config and I'm still having the issue.

Any ideas?? Any at all?? I'm willing to try almost everything at this
point!!

Should you have any questions or comments, let me know.

Regards,
Cesar Saucedo

 

[Brock Allen]

Forms authentication does not relate to session at all, except that they
both use cookies to track the user, so changing session will have no effect
on the forms authentication (unless you've somehow built a relationship between
them in your code).

As for your problem, I'd suggest on your login page to check to see if the
user is logged in and if so show their current login on the form. It feels
like to me that your user is logged in and they access a resource where they're
not authorized. Even if you're logged in you'll be sent back to the login
page to provide credentials for the resource you were just trying to access.

 

[mallik]

Can you post the code : web.config and the code you set the FormsAuthentication Ticket ?

 

[Guest]

See the code below.

Can you post the code : web.config and the code you set the FormsAuthentication Ticket ?

This is the actual code, I only left out the the appSettings and renamed the
application in the web.config.

Notice that the resource that I'm hitting, is in the "source" folder, not in
the login_head folder

--- web.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<httpRuntime maxRequestLength="4096" />
<compilation defaultLanguage="vb" debug="false" />
<customErrors mode="Off" />

<authentication mode="Forms">
<forms name="MyAppLoginProcess" loginUrl="/MyApp/source/login.aspx"
protection="All" path="/MyApp" timeout="120" />
</authentication>

<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="false" timeout="120" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8"
culture="en-US" uiCulture="en-US" />
</system.web>
<location allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="login_head">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<appSettings>
<!-- My app settings... there are LOTS of them!!! -->
<add key="sAppName" value="MyApp" />
<!-- And many many other config settings -->
</appSettings>

</configuration>


----- In login.aspx.vb

Public Sub fCreateCookie()
Dim tktAuthentication As FormsAuthenticationTicket
Dim strCookie As String
Dim ckkLogin As HttpCookie
Dim intUserType As Int16

' fLogin verify that the user is valid in my database and retrieves the
user type.
' retrieves -1 if the login failed
intUserType = fLogin()

' strUser has the user name
tktAuthentication = New FormsAuthenticationTicket(3, strUser,
DateTime.Now(), _
DateTime.Now.AddMinutes(120), False, intUserType.ToString)
strCookie = FormsAuthentication.Encrypt(tktAuthentication)
ckkLogin = New HttpCookie(FormsAuthentication.FormsCookieName(), strCookie)
Response.Cookies.Add(ckkLogin)
If intUserType < 0 Then
' This function redirects the user to another page that will show
' an error message, destroy the login cookie and redirect to the login
page.
fLogoutRedirect("loginerror")
End If
End Sub

 

[Guest]

Thank you, I will try that, I have also posted the actual code as response to
mallik in this thread.

Regards,
Cesar

 

[mallik]

code looks fine to me.
By any chance, you run this application on HTTPS (SSL) ?