Geek Answers Handbook

Dual Login for Some ASP.Net WebForms Users

I have an asp.net webforms application that uses forms authentication. For a small number of users, we have a problem when they log in, they move to several pages, and then they are asked to log in again. After logging in for the second time, they seem to be able to log in as expected. The second time they should not be requested.

This is one server, no web farms, nothing complicated.

This only happens to a few users, but it seems that all users are from the same building. I can’t repeat this, and at this moment I can even begin to deny that t happens if one of our trainers did not watch this happen to several clients.

Has anyone else seen something like this?

I also see a lot of "Membership Verification Credentials". errors in the event log. This may be related, but all the actions that I did seem to point to web farms, etc., and not to a single server.

UPDATE

  • There is no proxy server, IIS server and browser (IE8) are on the same machine.
  • The installed AV software is Symantec Endpoint, on one machine, on the other - the user does not have AV at all (AV Fail!).
  • The IE 8 browser is no frills, not one addon that does not come with a default installation.
  • Session and user timeouts are set to 30 minutes, and the problem occurs within 1 minute after the user logs on to the system.
  • Logging shows the user only one IP address.
  • I tried sessionMode in all its variants, this does not seem to make any difference.
+4
source share
8 answers

Something should make ASP.NET think that these users have new sessions or their cookie authentication becomes invalid. Here are some things I can check:

  • User access to the site through a proxy server? One of our clients has a proxy server that sometimes closes all open connections, making ASP.NET see the session as new.
  • Can an overly aggressive antivirus, antispyware product "eat" a session authentication cookie?
  • Do they have a cookie manager browser add-on that causes the validation cookie to disappear or change?
  • It sounds simple, but I saw how it happens due to too short timeouts. If the user sits on the page longer than the timeout, they will be forced to log in again. And this may be specific to a page when a large amount of data is presented on this page, which takes some time to pass.

One more thing that I just thought about, have you allowed several workflows for the ASP.NET process (like web gardens)? If so, the same restrictions as for the web farm will apply for authentication.

+5
source

Scan Fiddler from the user's PC problem and see what happened in the headers. My bid is related to the proxy server and network issues.

+2
source

Is it possible for users to get a dynamic IP address? I saw problems that caused user sessions to get messed up, because for some reason, the IP address they are accessing the site is due to changes.

+1
source

Do people happen using a browser that is somehow different (different browsers, different versions, different extensions)? This may be the key.

In general, when the problem is somewhat reproducible or at least predictable, I use Http Fiddler . Install it on the client computer, turn it on and start browsing (this works through the system proxy server, so it will work for Firefox, IE and any other browsers that support proxies). Fiddler will record all http traffic between the client and the server, and then you can view the session later to find any oddities.

This is a long shot, but one thing I have seen happens occasionally, which can lead to similar unpredictable errors, is problems with script parallelization: sometimes buttons + links have onclick handlers that cause feedback. If you have several such handlers that fire the same event, in particular, when the default event still fires in addition to your custom onclick or something else - you can call several postbacks when it is just one reverse gear. This can cause all sorts of unpredictable oddities, since it is not entirely clear which request ends with a β€œvictory”, and some odd errors can lead to the end of the session. Since this behavior is very sensitive to browser and network behavior, it seems unpredictable when it occurs.

+1
source

Delete cookie on client PC that is playing

+1
source

ASP.NET Forms Authentication can redirect users to the login page if they do not have credentials to access a specific page. He does this so that users who can have more than one login are given the opportunity to log in with another account that may have appropriate access. The main question I know, but do users use the same credentials the second time they enter the system?

0
source

You may not have specifically specified asp.net to use a cookie-based session, but cookies or cookiesless are allowed .

In the latter case, the session identifier is embedded in the URL. The type of problems you are experiencing can be explained by this. Basically, depending on how you define your links , some of them will not receive a session identifier , so the user will receive a new session when using these links strong> - or , possibly, during redirection . This may explain why users are losing their session in certain parts of your site.

If you have mixed mode enabled, try setting it only to cookieless and go through your site.

Update:. Based on the additional information posted here, more information is likely to be needed. Some additional things to check:

  • Do you use subdomains if in this case the cookie cannot be configured so that it does not run in all environments.
  • If you use an in-process session, make sure that the application does not have an error, because of which it restarts the process.
  • Perhaps what causes him to request a login again is an authorization check, and you have a problem with some role-related codes
  • Is it possible that the user simply opens a separate window ?;)
0
source

To exclude the possibility of hacking the browser or browser, have you checked your User Agent strings? If they are distributed randomly, this may not cause a problem, but if they are all the same, this may be a hint.

0
source

More articles:


All Articles