CODEWITHSUNDEEP
c#asp.net-mvcasp.net-mvc-4forms-authenticationsession-cookies
Jakob Hviid PhD
Jakob Hviid PhD

Reputation: 115

Random logouts with MVC4 asp.net

This will be my first question here!

Im having problems with my mvc4 app and random occurring logouts.

i use sessions to store my company id and id of the user.

        private void SetSessionData(string UserName)
    {
        Employee data = (from employee in _db.Employees where employee.Email == UserName select employee).First();
        Session.Add("Comp_ID", data.Comp_ID);
        Session.Add("Company", data.Company.Name);
        Session.Add("User_ID", data.ID);
    }

i have set the timeout value to 600 for the session (10 hours) this is even set 2 places to be sure:

        [AllowAnonymous]
    public ActionResult Login(LoginModel model, string returnUrl)
    {
        if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
        {
            //FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); //sørger for at remember me virker!

            SetSessionData(model.UserName);
            Session.Timeout = 600;

            if (model.RememberMe)
            {
                Response.Cookies.Add(new HttpCookie("CookieUserName", model.UserName) { Expires = DateTime.Now.AddDays(30), Value = model.UserName });
                Response.Cookies.Add(new HttpCookie("CookieRememberMe", model.RememberMe.ToString()) { Expires = DateTime.Now.AddDays(30), Value = model.RememberMe.ToString() });//sætter den nye cookie
            }
            else
            {
                Response.Cookies.Set(new HttpCookie("CookieUserName") { Expires = DateTime.Now.AddDays(-1) });
                Response.Cookies.Set(new HttpCookie("CookieRememberMe") { Expires = DateTime.Now.AddDays(-1) });
            }

            if (string.IsNullOrEmpty(returnUrl))
            {
                return RedirectToLocal(returnUrl);
            }
            return RedirectToAction("Index", "Home");
        }

        // If we got this far, something failed, redisplay form
        ModelState.AddModelError("", "Vi har enten ikke brugernavnet eller koden i kartoteket.");
        return View(model);
    }

and here in the web.config:

<system.web>
<machineKey validationKey="MyKeyGoesHere" validation="SHA1" decryption="AES" />
<sessionState timeout="600" />
<compilation debug="true" targetFramework="4.5">
  <assemblies>
    <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="600" />
</authentication>

My cookies seem to be saved for 10 hours, and my session_id cookie expiration seems to be set to "when the browser closes".

Server side i have set the app pool to recycle at 1am.

Even though all this is set my users still get random logouts form everything between 2 min after login to 1 hour after login.

to counter some of the random half login state problems i have had i included this:

@if(Session == null || Session["User_ID"] == null || !WebSecurity.Initialized){
                //Makes sure the session data is cleared and user logged out if session dies.
                try
                {
                    if(Session != null) {Session.Clear();}

                    if (WebSecurity.Initialized){WebSecurity.Logout();}

                    FormsAuthentication.SignOut();

                    //dette er til at stoppe cache.
                    Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
                    Response.Cache.SetCacheability(HttpCacheability.NoCache);
                    Response.Cache.SetNoStore();

                }catch{ <p>Error Clearing Login Cache</p>}    
            }

Im pretty lost by now and hopes a guru out there might know what beginners mistake im making here!

Thanks for ALL response in advance!

Edit:

I also tried this: http://www.windowsitpro.com/article/security-development/create-persistent-id-cookies

(original link from: ASP.NET MVC FormsAuthentication Cookie timeout cannot be increased)

but that just made my app logout every single time i pressed anything after login.

The app is running on windows 2012 server with IIS8.

More adds:

I found out the session_id cookie is still set to when closed in the browser:

cloud.hviidnet.com/image/2X3v2y2e1K1S

The strange thing is its set to 600 min, even when i look in the IIS server:

cloud.hviidnet.com/image/1e3J1g2u3p2M

Upvotes: 2

Views: 2176

Answers (2)

Jakob Hviid PhD
Jakob Hviid PhD

Reputation: 115

The solution was to remove all use of "Session." and get all the data from the database instead with WebSecurity.CurrentUserID.

Hope this helps someone else!

Upvotes: 1

Jeffrey Lott
Jeffrey Lott

Reputation: 7429

Do you only have a single web server? If you have multiple servers load balanced, the session could be getting lost as the user gets routed to different servers between posts, which would explain why it happens at random intervals.

Upvotes: 0

Related Questions