views:

642

answers:

4

I have a problem with an ASP.NET application that is driving me nuts.

When a user leaves a page inactive for a period of time the session was timing out and error were being thrown due to session variables not being resolvable (I will error trap this anyway but this is not the problem). I coded a 'defribulator' which will perform an invisible postback after half of the session timeout has expired and this seemed to work fine - leaving the application for 30 mins did not cause an error even though the session timeout was set for 20 mins. However, this morning one of the other Devs experienced a timeout - How is this possible?

On further investigation I think that the problem occurs when the Forms Authentication timeout is exceeded - even though the defribulator has been (apparently) keeping the session alive. I have read that the Authentication ticket will only be reissued if a postback occurs after half of the specified timeout period has elepsed and this can't the issue as the defrib will have issued requests during the second half of the timeout period - so why was it not reissued?

I suppose I could get around the problem by setting the authentication timeout to 8 hours or so but that is a poor fix.

Can anyone shed any light on this?

Thanks in advance

[Edit 24/11/2008] Reviewing the Log Files has proved enlightening and confusing. I can see the defribulator firing after 10 minutes of inactivity but while the Session_Id appears to be consitent throughout, the forms authentications ticket ID changes - not sure if it is supposed to or not. I'm formulating a test plan now and will post back when i have completed them. Thanks to everyone who have provided feedback so far.

[Edit 24/11/2008] Well I'm stumped - everthing seems to be working fine at the moment! The Authentication ticket is being regenerated when the defrib runs (the ID changes) and the session is being maintained. Was it a server issue - can't tell. I have experienced this problem before and never got to the bottom of it and it is very frustrating - surely it should not be this difficult. I'm going to have to let this drop for the timebeing as I have to get on with some other aspects of the application. I'll just have to code around this issue - which may never occur on the customer site.

Thanks again for everyones input - if I make any progress I will post it back here.

+5  A: 

This may also happen when iis recycles or terminates the application pool.

You may want to check Troubleshoot Forms Authentication It could be that the client lost their cookie.

If you manually generate the authentication ticket, you need to set the timeout in code and not the web.config

Aaron Fischer
Is there anyway of handling this so that authentication/session is not lost?
DilbertDave
Your suggestion led me to this article which may help me (I'll have a look on Monday)http://msdn.microsoft.com/en-us/library/ms972429.aspx
DilbertDave
My team has been having problems with session timeouts and Dave's link was extremely helpful, thanks DilbertDave!
Jeremy Bade
+1  A: 

Don't mean to state the obvious, but:

  1. Are the Session and FormsAuthentication timeouts set to the same value?
  2. Is slidingExpiration set to true?
A: 

Thanks for the response guys: I have already explicitly set slidingExpiration to true in the web.config with no effect.

The timeout values are: Session: 20 minutes FormsAuthentication: 60 minutes

I have left the session timeout as is and reduced the FormsAuthentication to 12 minutes for testing. The defrib 'pings' every 10 minutes. If I leave the page inactive for 14 minutes and then click a button I get the problem #edit: but not everytime it seems!#.

DilbertDave
+1  A: 

Have you checked against an application pool or worker process recycling causing the problem?

JB King
Not yet - it was suggested yesterday after I left work so I will look on Monday. Would this cause the forms authentication to drop - I though that was cookie based.
DilbertDave
This could have been the problem (which seems to have gone away now!) but I cannot be sure. Nothing in Event Logs :-(
DilbertDave
Even if it is cookie based, how is the cookie being decrypted properly if the machine is changing what keys it used to encrypt the cookie? Course that is a bit of an assumption but it was something I've seen when using Forms authentication.
JB King