c# - ASP.NET MVC3 Forms Authentication Expiring Prematurely -


we have online assessment platform built mvc3. runs in iis on single dedicated server running windows server 2012 r2 on have full control. users have been reporting "getting logged out" during assessments.this problem many of our assessments have time constraints , logging in costs users valuable seconds.

i have been unable replicate issue during testing, have confirmed consulting our logs last 2 months ~15-20% of users have log in @ point during assessment. 10 months prior <2% had log in.

i have compared our current code base how 3 months ago, , nothing remotely related logging in , authentication has been changed. knowledge no settings on server have been changed.

there many hundreds of files, , thousands of lines of code in application, try , share relevant bits in hope can me resolve this. if there information have missed, leave comment , add possible.

from web.config:

<authentication mode="forms">   <forms loginurl="~/login/" timeout="300" slidingexpiration="true" /> </authentication> 

this how create auth cookie:

guid user_id = /* lookup id username after verification */ string user_role = /* csv specifying roles user has */ datetime expiry = datetime.now.addhours(5); formsauthenticationticket authticket = new formsauthenticationticket(1, user_id.tostring(), datetime.now, expiry, false, user_role, "/"); httpcookie cookie = new httpcookie(formsauthentication.formscookiename, formsauthentication.encrypt(authticket)); cookie.expires = expiry;  httpcontext.current.response.cookies.add(cookie); 

we user custom implementation of authorizeattribute restrict access actions this:

public class mycontroller : controller {     [customauthorize(roles = "myrole")]     public actionresult myaction()     {         // stuff         return view();     } } 

which defined follows:

[attributeusage(attributetargets.method | attributetargets.class, inherited = true, allowmultiple = true)] public class customauthorizeattribute : authorizeattribute {     public override void onauthorization(authorizationcontext filtercontext)     {         string cookiename = formsauthentication.formscookiename;          if (!filtercontext.httpcontext.user.identity.isauthenticated ||             filtercontext.httpcontext.request.cookies == null ||             filtercontext.httpcontext.request.cookies[cookiename] == null         )         {             handleunauthorizedrequest(filtercontext);             return;         }          var authcookie = filtercontext.httpcontext.request.cookies[cookiename];         var authticket = formsauthentication.decrypt(authcookie.value);         string[] roles = authticket.userdata.split(',');          var useridentity = new genericidentity(authticket.name);         var userprincipal = new genericprincipal(useridentity, roles);          filtercontext.httpcontext.user = userprincipal;         base.onauthorization(filtercontext);     } } 

this has been setup last 3 years, , has been last 2 months have been problematic. can see cookie set expire 5 hours after creation. users have been typically pretty vague reports, , looking @ our logs amount of time between initial login , having login again ranges anywhere between few minutes , couple of hours. have had on server @ think relevant settings , can't see thing may cause problem:

iis settings

the thing can think of cause them "logged out" authentication cookie expire prematurely (or deleted guess). talking thousands of users, hundreds of companies. many using own pcs rather provided work. if 1 has ideas @ love hear them.

since use response.add rather setcookie plus define fixed expiry date makes cookies persistent, chances users have forms cookies issued twice, if log in within these 5 hours twice.

i check if doesn't confuse forms auth module. 1 of such multiple cookies expire @ point of time , sliding expiration forces reissued. possibly opens scenario there multiple cookies in single request, of them expired.

my advice use http debugger check , replace code thst possibly makes duplicates of auth cookies.


Comments

Popular posts from this blog

angular - Is it possible to get native element for formControl? -

unity3d - Rotate an object to face an opposite direction -

javascript - Why jQuery Select box change event is now working? -