0

I have an ASP.Net MVC app, making use of Forms Authentication, with the following config:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="1440" slidingExpiration="true" />
</authentication>

The user count ranges between 20 and 40. Users log in and use the application without a problem...90% of the time.

However, we are finding that on a seemingly random basis, all users suddenly get logged out at the same time, and are presented with the Logon screen again.

The ELMAH log shows that the requests all still have their respective aspxauth cookies, yet the Request.User.Identity is unauthenticated, and has a blank Name.

Please advise where I can start looking as I am at my wits end on this.

Shawn de Wet
  • 5,642
  • 6
  • 57
  • 88
  • 3
    IIS recycle should be the reason. – Cosmin Vană Jun 30 '14 at 11:39
  • The app pool was configured to recycle every 1740 minutes. I changed this to recycle at 8:00pm instead, and monitored for a day. This did not solve the problem. – Shawn de Wet Jul 02 '14 at 02:43
  • The app pool can recycle for many other reasons. That configuration only applies if no other problem is encountered before. Please take a look at this question: http://stackoverflow.com/questions/302110/what-causes-an-application-pool-in-iis-to-recycle – Cosmin Vană Jul 02 '14 at 07:02
  • Oh wow. I see. But boy oh boy, is it right then that after the recycle all logged-in users should be considered logged-out and thus unauthenticated? Should the next request, which still contains a .aspxauth cookie not just be able to pick up where his/her last request left off? – Shawn de Wet Jul 03 '14 at 03:22
  • 1
    yes, because the cookie value is matched with a value stored in server memory to identify the user (and to provide session).When the app pool recycles, the memory on the server is lost, so it will not find a "matching user" for the received cookie in it's memory on the next request. – Cosmin Vană Jul 03 '14 at 06:19
  • wow this developer has just learnt something about IIS. Thanx. I have turned on logging to see what is recycling the app pools. – Shawn de Wet Jul 03 '14 at 06:31
  • One thing that you can do if you find out that you can't control the recycle reason, is to look for a way to store the session outside IIS (in another process or database). I haven't implemented any of those until now and I don't expect it to be very easy, but you can give it a shot if your application loses state too often. – Cosmin Vană Jul 03 '14 at 08:49

0 Answers0