1

I make a website with asp.net and it works fine. but sometimes it kick users out of their account with out any reason. I mention in my web config for session and web form time out. but it happen again. and also my data for the sessions are not too much.for example a word!(journal x). can any body help me?... I become confused! here is my web config:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <appSettings>
    <add key="ChartImageHandler" value="storage=session;timeout=5;" />
  </appSettings>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />


    <handlers>
      <remove name="ChartImageHandler" />
      <add name="ChartImageHandler" preCondition="integratedMode" verb="GET,HEAD,POST"
        path="ChartImg.axd" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </handlers>
  </system.webServer>
  <system.net>

    <mailSettings>
      <smtp from="waag@waag.ir">
        <network host="mail.waag.ir" port="25" userName="*****" password="*****"/>
      </smtp>
    </mailSettings>
  </system.net>
  <connectionStrings>

    <!--<add name="dbconn" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
        <add name="ConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>-->


    <add name="dbconn" connectionString="Password=****;Persist Security Info=True;User ID=****;Initial Catalog=esfahanhost_****;Data Source=174.142.4.132" providerName="System.Data.SqlClient" />

    <remove name="LocalSqlServer"/>

    <add name="LocalSqlServer" connectionString="Password=****;Persist Security Info=True;User ID=****;Initial Catalog=esfahanhost_****;Data Source=174.142.4.132" providerName="System.Data.SqlClient" />


  </connectionStrings>
  <system.web>





    <httpHandlers>
      <add path="ChartImg.axd" verb="GET,HEAD,POST" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
        validate="false" />
    </httpHandlers>
    <membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15">

      <providers>
        <clear/>
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="dbconn"
           enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
           maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
           applicationName="/" />

      </providers>
    </membership>


    <sessionState mode="InProc" timeout="30"/>
    <roleManager enabled="true"/>
    <authentication mode="Forms">  
      <forms timeout="30" slidingExpiration="true" name="AC7.ASPXAUTH" />
    </authentication>

      <compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
        <assemblies>

          <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
          <add assembly="System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
          <add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
        </assemblies>
      </compilation>
      <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" enableEventValidation="false" viewStateEncryptionMode="Never" enableViewStateMac="false">
          <controls>
              <add tagPrefix="asp" namespace="System.Web.UI.DataVisualization.Charting"
                  assembly="System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          </controls>

      </pages>

  </system.web>

</configuration>

1 Answers1

0

The login information's are stored on one cookie, and if you do not have setup the domain on the web.config for the cookie and you move from eg www.domain.com to domain.com the cookie is not working and may log out.

So set the domain on your form tag as (do not place the www):

<authentication mode="Forms">  
  <forms domain="yoursitename.com" timeout="30" slidingExpiration="true" name="AC7.ASPXAUTH" />
</authentication>

also set the domain on the roleManager tag and on cookie tag.

More to read about:
Can some hacker steal the cookie from a user and login with that name on a web site?
Multiple applications using same login database logging each other out

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • should i do this for sessions too? –  Dec 10 '12 at 14:58
  • thank you so much for your great answer.my final question is, dose the domain="yoursitename.com" need "www" or "http://" ? –  Dec 10 '12 at 15:01
  • @SaeedTalaee You DO NOT set the http:// - and you do NOT place the `www` ether ! This is point of use it, to set the same cookie ether with www, or with out them - or else the cookie is different. – Aristos Dec 10 '12 at 15:02
  • a problem occur!!! I can not log in any more! as i log in, nothing happen, and log in page appear again. –  Dec 10 '12 at 15:15
  • –  Dec 10 '12 at 15:44
  • of course... role author for any journal Username:author@waag.ir Password :123456 –  Dec 10 '12 at 16:03
  • @SaeedTalaee Its seems that you do not have setup correct the urls/rewrite/redirect or something similar because the `http://www.aag.ir/Author/S0_Start.aspx` is not working after login and change the `www` Do you make any redirect ? Also nether this works : `https://www.waag.ir/Login.aspx` - you have some error on https pages – Aristos Dec 10 '12 at 16:42
  • yes i make redirects there! should i omit them. if i omit them the how redirect users to their pages? –  Dec 10 '12 at 16:49
  • and one more thing i never checked my site in https// before! why this error happen?! –  Dec 10 '12 at 16:50