Re: Problem with Forms Authentication cookies

From: Rajesh.V (Rajesh_vanchi_at_hotmail.com)
Date: 10/16/03 

Date: Thu, 16 Oct 2003 09:45:56 -0400

We had the same problem, after lot of hunting, we found, running Antivirus
software causes the web.config, global.asax or the dll to be touched. The
causes the workerprocess to recycle and u loose all session. And this
happens randomly, and sessions dont last beyond 3 mins.

The best solution is using out of process session management. That is in an
sql server.

"Scott" <ScottLorenz@UniversalComputerSys.Com> wrote in message
news:OtxKLh1kDHA.2500@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We're having an issue with Forms Authentication cookies being treated as
> expired / invalid, and being deleted. This is causing our intranet users a
> great deal of pain
>
> - Running IIS 5.0 on Win2k Server
> - Forms Authentication is setup with a timeout value of 45 minutes in
> web.config
> - Session timeout is set to 45 minutes in web.config
>
> In viewing the IIS logs, we an see a request for an aspx page (a POST)
with
> a response of 302. The log shows the cookies sent in with the request -
> only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
> which we named CSSAuth.
>
> The next request coming is is a GET request for the Forms Authentication
> login aspx page. The query string contains the url of the originally
> requested page. In this request there is only one cookie - the
> ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
>
> In looking at the logs for NORMAL expired authentication redirects these
> requests always contain the CSSAuth cookie, even though it is ezpired.
In
> the cases where users get redirected to login prior to authentication
> timeout, the cookie is missing from the GET request issued in response to
> the redirect.
>
> Why is this authentication ticket cookie seen as invalid prior to timeout?
> Why is this cookie being removed? What piece of code is responsible for
> doing all this?
>
> Scott L.
>
>

Relevant Pages

  • Re: Forms Authentication problem with WebRequest
    ... The normal request will go like this: ... handles login, redirects to page.aspx, passes a cookie or url variable ... reqests page.aspx and sends cookie back to server ... - authenticating has nothing to do with this scenario, but with server authentication. ...
    (microsoft.public.dotnet.framework)
  • Re: strange Formsauthentication behavior
    ... it runs several times because of the redirects that are done during authentication ... // cookie as data. ... HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HttpWebRequest and Forms Authentication
    ... separate request though, if the user is already authenticated then you can ... you are hitting an external web site that is using Forms Auth. ... > authentication page and post some credentials so that you can get the cookie ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Problem with Forms Authentication cookies
    ... We're having an issue with Forms Authentication cookies being treated as ... Session timeout is set to 45 minutes in web.config ... The log shows the cookies sent in with the request - ... only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HttpWebRequest and Forms Authentication
    ... you will probably need to make a separate request to the ... authentication page and post some credentials so that you can get the cookie ... >> the WebRequest it gets sent to the forms authentication login page that I ...
    (microsoft.public.dotnet.framework.aspnet.security)