Sunday, April 3, 2011

Users being forced to re-login randomly, before session and auth ticket timeout values are reached

I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is:

Event code: 4005 Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.

Everything that I read starts out with people asking about web gardens or load balancing. We are not using either of those. We're a single Windows 2003 (32-bit OS, 64-bit hardware) Server with IIS6. This is the only website on this server too.

This behavior does not generate any application exceptions or visible issues to the user. They just get booted back to the login screen and are forced to login. As you can imagine this is extremely annoying and counter-productive for our users.

Here's what I have set in my web.config for the application in the root:

<authentication mode="Forms">
      <forms name=".TcaNet"
        protection="All"
        timeout="40"
        loginUrl="~/Login.aspx"
        defaultUrl="~/MyHome.aspx"
        path="/"
        slidingExpiration="true"
        requireSSL="false" />
    </authentication>

I have also read that if you have some locations setup that no longer exist or are bogus you could have issues. My path attributes are all valid directories so that shouldn't be the problem:

<location path="js">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="images">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="anon">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="App_Themes">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="NonSSL">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

The only thing I'm not clear on is if my timeout value in the forms property for the auth ticket has to be the same as my session timeout value (defined in the app's configuration in IIS). I've read some things that say you should have the authentication timeout shorter (40) than the session timeout (45) to avoid possible complications. Either way we have users that get kicked to the login screen a minute or two after their last action. So the session definitely should not be expiring.

Update 2/23/09: I've since set the session timeout and authentication ticket timeout values to both be 45 and the problem still seems to be happening.

The only other web.config in the application is in 1 virtual directory that hosts Community Server. That web.config's authentication settings are as follows:

<authentication mode="Forms">
      <forms name=".TcaNet" 
      protection="All" 
      timeout="40" 
      loginUrl="~/Login.aspx" 
      defaultUrl="~/MyHome.aspx" 
      path="/" 
      slidingExpiration="true" 
      requireSSL="true" />
     </authentication>

And while I don't believe it applies unless you're in a web garden, I have both of the machine key values set in both web.config files to be the same (removed for convenience):

<machineKey 
        validationKey="<MYVALIDATIONKEYHERE>" 
        decryptionKey="<MYDECRYPTIONKEYHERE>" 
        validation="SHA1" />

<machineKey 
     validationKey="<MYVALIDATIONKEYHERE>" 
        decryptionKey="<MYDECRYPTIONKEYHERE>" 
     validation="SHA1"/>

Any help with this would be greatly appreciated. This seems to be one of those problems that yields a ton of Google results, none of which seem to be fitting into my situation so far.

From stackoverflow
  • 1.) Check how often your iis process gets recycled. (Turn on logging and check your settings). After a recycle, using the default in proc session store, the session is lost.

    2.) Does your application spawn Threads that may throw an Exception (which are btw not displayed to the user)? Because if that situation exists the iis recycles processes far more often.

    Don : I have run some performance counters and haven't seen any application or worker process restarts. Also, I think if this were the problem all of our users would be kicked at once. The problems we're seeing are more random and impact random users. Also, we're not explicitly spawning separate threads.
    Tobias Hertkorn : Damn it. :) Yes, they would definitively be kicked out all at the same time. Is your webserver accessable through multiple host-names? e.g. is it sometimes www.domain1.com, sometimes www.domain2.com? do you always use the FQDN of the server or sometimes 'web' and sometimes 'web.domain.com'?
    Don : the domain name is always the same for the the people accessing the site on the server. The site is always accessed by the specific subdomain too (i.e. mysite.mydomain.com). This isn't on www.mysite.com or just mysite.com. So I think those two are not possible problem points either.
  • It may also be worth checking the Maximum Worker Processes property for your application pool. If you are using in memory session and have more than one as the max worker process you can find session issues as a users request is handled by a different thread that is unaware of their session.

    Don : It's set to only 1
  • Don, did you resolve this issue? This is exactly what we are experiencing right now.

0 comments:

Post a Comment