I have reports and complaints from my user that they will use the screen and immediately return to the login screen at the following request. This does not always happen, but by accident. After viewing the web server, the error detected in the application event log is as follows:
Event ID: 4005 Event Message: Form authentication failed for request. Reason: The attached ticket has expired.
Everything that I read begins with what people ask about web gardens or load balancing. We do not use any of them. We are a single Windows 2003 (32-bit OS, 64-bit) Server with IIS6. This is the only site on this server.
This behavior does not generate any application exceptions or apparent problems for the user. They simply load back to the login screen and are forced to log in. As you can imagine, this is extremely annoying and counterproductive for our users.
Here is what I installed in my web.config for the application in the root:
<authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="false" /> </authentication>
I also read that if you have any location settings that no longer exist or are dummy, you may have problems. My path attributes are all valid directories, so this should not be a problem:
<location path="js"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="anon"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="App_Themes"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="NonSSL"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
The only thing I donβt understand is that my timeout value in the forms property for the auth ticket should match my session timeout value (defined in the application configuration in IIS). I read some things that say that the authentication timeout should be shorter (40) than the session timeout (45) in order to avoid possible complications. In any case, we have users who go to the login screen a minute or two after their last action. Thus, the session should definitely not expire.
Update 2/23/09: I have since set the session timeout and authentication timeout values ββfor both values ββto 45, and the problem still seems to be happening.
The only other web.config file in the application is located in 1 virtual directory on which the community server is located. The web.config authentication options are as follows:
<authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="true" /> </authentication>
And although I do not believe that this applies if you are not in the web garden, I have both the machine key values ββset in both web.config files the same (removed for convenience):
<machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1" /> <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1"/>
Any help with this would be greatly appreciated. This is apparently one of those issues that gives a ton of Google results, none of which seem to be relevant to my situation so far.