User kicks out to login page after 2 minutes

Question

User1389104777 posted

HI,

We have recently migrated our asp.net web site code to windows server 2016 and visual studio 2017 from visual studio 2012(I guess). After the migrating we observed that when there is no activity for 2 minutes, user gets kicked off from app and lands in login page. There is no change while migrating our code to VS2017. Before migration we don't see this issue. Any help would be appreciated. We also have migrated the url from http to https.

<authentication mode="Forms">

<forms loginUrl="Login.aspx" protection="All" timeout="30" name="xxx" path="/xxx" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false"/>

</authentication>

Thanks,

Varsha

Answer 1

User475983607 posted

Check the usual stuff...

If the site is load balanced make sure all web server use the same machine key.  Make sure the application pool is not restarting.  Make sure you are not uploading files to the bin directory or changing the web.config.  Make sure the server date, time, and time zone are set properly.  Verify the application is not throwing a bunch of errors which can cause a restart.

Use the browser's network trace tools to verify the auth cookie and expiration on the client.

Answer 2

User1389104777 posted

Yes, the site is load balanced in a web farm. We have checked everything, nothing is changed. Tried generating the machine key and use in config file, but didn't help.

Answer 3

User475983607 posted

Yes, the site is load balanced in a web farm. We have checked everything, nothing is changed. Tried generating the machine key and use in config file, but didn't help.

This is not magic. 

Setting a consistent machine keys on all load balanced machines allows the machines to decrypt the authentication cookie.  Make sure you restarted the server so the machine key takes affect.  If after making this change you are still having issues then perhaps you have other code issues like storing user data in Session or cache.

Try setting sticky sessions or affinity, whatever your load balancer calls it, so that all clients stay on the same server.  If sticky session works then you have a configuration or code issue.

Can you explain what "checked everything" means?  What have you checked exactly?

Answer 4

User-893317190 posted

Hi b.v.varsha13@gmail.com,

One of the possible cause is your session mode.

What  the session mode do you use?

InProc、StateServer  or SqlServer?

If you use inProc, because your session is stored in one of your server,if the user visit another server, they will logout.

Please try to change your  session state to stateServer or sqlServer to see whether it solve your problem.

About how to config stateServer and sqlServer , please refer to https://msdn.microsoft.com/en-us/library/ms178586.aspx

You could also refer to the link below https://dotnetcodr.com/2013/07/01/web-farms-in-net-and-iis-part-5-session-state-management/

https://blogs.msdn.microsoft.com/webtopics/2017/06/21/session-state-is-lost-in-web-farm-if-you-use-sqlserver-or-stateserver-session-mode/

Best regards,

Ackerly Xu

Answer 5

User753101303 posted

Hi,

You can also use F12 or have a test page to first understand what happens exactly (for example showing which server is processing the request).

Answer 6

User1389104777 posted

Hi,

The same application works fine before the migration to https. After migrating to https, we have seen the kick off if no activity for more than a minute.

I tried to generate the machine key and pasted in the web.config file so that all servers use the same key.

Do we need to change "requireSSL= true" in web.config for using https?

With F12 I cannot see any errors. There are some warnings "Unexpected "</body>" or end of file. All open elements should be closed before the end of the document.", but I checked the whole code there are no changes from previous versions.

Thanks,

Varsha