Users get redirected to login page over and over with no error...

We've got a web application that we launched about two months ago.  It uses Forms authentication with a sqlRoleProvider and a couple membership providers (ldap and a db).  Sessions are set to timieout after 60 minutes of inactivity. 

99% of the time logging in after session times out works fine.  But we have a lot of users, and about 1% of the time (at least that's been reported) a user will timeout, get redirected to the login page, and when they attempt to login they just get redirected back to the login page with no error message.  I've actually seen this happen once and was able to attempt the login over and over and I never got an error, just had the login page reload over and over and over again.  Unfortunately I have never been able to reproduce this at my desk, so I have no idea what's causing it or how to resolve it.

Here's a couple more details: 

I use log4net and log each time the user attempts to login, is successfully logged in, and each time the login page loads.  When this happens the log shows something like: 

2008-09-01 15:15:33,579 [1234] DEBUG Login Page Loaded
2008-09-01 15:15:34,745 [1234] DEBUG ActiveDirectoryConnector [] - Attempt to validate 'shampton'
2008-09-01 15:15:34,933 [1234] DEBUG ActiveDirectoryConnector [] - Successfully validated 'shampton'

2008-09-01 15:15:35,521 [1234] DEBUG Login Page Loaded
2008-09-01 15:15:38,457 [1234] DEBUG Login Page Loaded
2008-09-01 15:15:41,217 [1234] DEBUG Login Page Loaded
2008-09-01 15:15:43,454 [1234] DEBUG Login Page Loaded

And that's it.  There's no indication of what might have gone wrong, and there's no unhandled exception thrown...

I've scoured my code and I don't redirect the user to the login page ANYWHERE.  Obviously the login page is in my web.config, but nowhere else is it mentioned.  So it seems that something is happening within the ASP.NET authentication system...?

I could really use some help - has anyone seen anything like this before?  I'm out of troubleshooting ideas...

Thanks for the help!

Eddie

 

0
eappell
9/3/2008 5:36:17 PM
asp.net.security 27051 articles. 1 followers. Follow

13 Replies
562 Views

Similar Articles

[PageSpeed] 23

Do you keep track of the asp.net performance counters? I'm wondering if there could be something interesting happening in there, such as repeated application recycling or audit errors. Looking about it, it seems like it may have to do with a certain proxy configuration... would that ring a bell?

Also, its a long shot, but do you call Session.Abandon anywhere in your code?

0
shados
9/3/2008 5:58:43 PM

Interesting idea.  Could be a proxy or firewall config, but I'm not sure how to troubleshoot that...  We are going through a couple firewalls in our architecture (web server is in one place, db server in another and authentication in another and all protected behind firewalls).  Would this happen to only individual users on an occasional basis if that were the case?

The other thing you mentioned, calling Session.Abandon, sounds even more likely.  I am calling it in only one place in the entire app, in the Session_End method of Global.asax.cs.  So if, for some reason, the app kills the session right after they log in, then that might be the cause, but it does seem pretty strange.  Again, they do log in successfully once, and this happens after they've timed out...

Does that help narow things down at all?  I've put some debug lines in the Session_End so I can see if that's what's happening, but I won't be able to actually get that out there for testing until the next production build...

Thanks for the reply!

0
eappell
9/3/2008 6:11:03 PM

Yes actually. Doing a Session.Abandon in Session End is not very useful. Think about it: First, Session_End doesn't happen if you don't use InProc session. Don't know if thats your case or not. Second, when the session end... the session is lost. I beleive, too, that session end happens -after- the session is lost...so in rare scenarios where the session is lost, and the login redirection checks the authentication cookie, which is still present, it would push the sliding expiration (or some similar concept) and let the cookie still be valid, but the session.abandon would kick in, making the association invalid, over and over.

Anyway, the above is the single worse explaination in the history of information technology, so don't quote me (I'm not writing a book anytime soon, but as an excuse, english is far, far from being my primary language), but basically, Session.Abandon in the ONE event where you know for sure that session will vanish, is pretty much NOT useful...try and take it out. I confirmed before posting this that many people on the net had your exact issue, and it was related to session.abandon...nothing to lose eh?

Looks like its a similar situation to when people try and reload the cache in the event where cache expires... it ends up doing weird things.

0
shados
9/3/2008 6:16:48 PM

Yeah, we're actually using StateServer for Session managemen, if that makes any difference... 

I think I added Session.Abandon to Session_End a while back because we track a lot of info in the session, and I was finding that sometimes when the user's session had timed out, some of the session data was still there - it didn't trash all of the session objects.  But I will comment it out and see if that fixes this issue.  Sounds like that may be it...

Thanks again - eddie

0
eappell
9/3/2008 6:26:50 PM

If you're using StateServer, Session_End never happens as far as I know... so it may not be your problem... but its worth trying.

If session objects are still around after a session timeout (careful: session and login timeout separately...don't confuse one with the other.), there may be some stuff being done where you should not, of the same nature as the Session_End's session abandon... maybe thats worth investigating, too.

0
shados
9/3/2008 6:49:12 PM

Really!?  I didn't know that...  Any idea if there's a link somewhere that mentions that?  I did a search on MS KB and couldn't find much info at all on the specifics of each type of state management...

0
eappell
9/3/2008 6:52:52 PM

http://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionstatemodule.end.aspx

Here you go. Session End is an event from the http module SessionStateModule, and is handled specifically in Global.asax under various names (like for page events) and whatsnot... if you look at that page, its quite specific:

The Session_OnEnd event is only supported when the session-state HttpSessionState..::.Mode property value is InProc, which is the default. If the session-state Mode is set to StateServer or SQLServer, then the Session_OnEnd event in the Global.asax file is ignored. If the session state Mode property value is Custom, then support for the Session_OnEnd event is determined by the custom session-state store provider.

0
shados
9/3/2008 6:59:20 PM

Yep, that's pretty clear!  So this may not be it at all, but I've gone ahead and taken the line out anyways, since it shouldn't have any affect regardless.  I've got in QA and am testing it, but it looks like we're back at square one again...

So I guess I'll try to find out what proxy or firewall configurations may be causing this, since I can't think of anything else...

Thanks again for your help!!

eddie

0
eappell
9/3/2008 7:16:29 PM

If you're using standard login procedures (either the AD Membership provider, or you're using the appropriate methods and events to implement your own, as opposed to an ad hoc solution), you can try implementing Health Monitoring to track what the hell is happening, by monitoring the audit events... That may enlighten you. Honestly, googling around, it seems to be an issue happening to multiple people... so I'm definately curious about the solution... it may hit -me- someday :)

0
shados
9/3/2008 7:20:13 PM
One thing by the way that may be troublesome... How -exactly- are you redirecting the user to the login on a session timeout? Remember... when session timeout, the user may already be logged in... Depending on how your login system works, you may end up redirecting to login page someone that is already logged in... You're using global.asax or an http module to check the session's status? Have you investigated the redirect code and how it works? Do you log out the user? I'm wondering if there isn't a slight, uncommon logistic mistake in there...
0
shados
9/3/2008 7:29:07 PM

I have no code in my application that actually redirects the user to the login page.  I just have the login page noted in the web.config, and when the session doesn't exist I believe asp.net redirects them to the login page for me.  Isn't that how it's supposed to work?

I found a good how-to on MSDN about health monitoring, so I'll try to put that in place and see if that doesn't pinpoint what's happening here.  I'll definitely post back to this thread if I find more info, or better yet, the source and solution to this issue...

0
eappell
9/3/2008 7:36:39 PM

You'll get redirected to login if the login expires, which is quite different from if the session expires. Session can expire independently from authentication...

http://teabreak.pk/forms-authentication-timeout-vs-session-timeout-136/5388/

Thats a good link, and it has a link itself to a KB.

If you're never handling session timeout directly, things can get seriously quirky. A logged out user could still have session values from when they were logged in, before their authentication expired, and a logged in user could lose session... And they can easily get out of sync. I tend to redirect users to login if some session value isn't found, and in the login page, hit session.abandon if session still has values in it (if they went to the login page manually), as well as log them out, among other measures.

I think we may have a lead here now.

0
shados
9/3/2008 7:42:21 PM

Yeah, I don't think I made the connection that session is completely separate from authentication...  For some reason I've just been lumping them together.  This could definitely be a lead.  I'll re-read that article and the linked kb and see if I can make some code changes based on that.  His suggested solution may work for us (make the authentication timeout double the session timeout and add that method to Global.asax.cs...  I'll post back here if I get anywhere with this...

0
eappell
9/3/2008 8:03:32 PM
Reply:

Similar Artilces:

if there is some error with db should user get redirected to a general error page?
 Hi All.Lets say there is an error with inserting data to db, some server error or whatever should the user get redirected to an error page? The page i am working on is activate account so if whilst checking data with db there is a problem should the user get redirected or should the error come up on the page in question? Help please. aspd:Lets say there is an error with inserting data to db, some server error or whatever should the user get redirected to an error page?  . If some insert/ update errors happen, then it is best to provide some feedback to the user on the pag...

Need help related to redirecting to login page if unauthorised user try to view secure page
Hello AllI am facing a problem when an unauthorized user tries to access a secure page. Usually the unauthorized user is redirected to the login page without any note or any information given to them saying that " YOU ARE UNAUTHORIZED TO VIEW THIS PAGE ". Can anyone help me as my requirement is to  either display a message or redirect them to an error page first and then depending on the users choice, user will click on given link to continue the older session of  browsing or login to different role which is having access to view Secure page. Store userid / username i...

Routing unauthenticated users to login page, then onto the intended secure page after login
Ok, in my setup, I made a folder called "Secure" and in the ASP.NET web administration tool via VWD, I added an access rule that denies anonymous users access to aspx files in that folder.  Now, when I directly type in a URL pointing to an aspx file in the "Secure" folder when I'm unauthenticated, the system knows to route me to the login page (I'm using the default membership provider in VWD), and after successful login, to the secure page that was the intended destination.  So I thought all was good.  For reference, here's how it looks li...

How to redirect a user to login page on session timeout error !!
Hi I want to redirect user to login page in case of session time out error !! Can anyone tell me how to do it and where exactly I should place the logic !! My login page is Login.aspx and code behind file is Login.aspx.cs . RegardsPawan Mishra“The greatest compliment that was ever paid to me was when one asked me what I thought, and attended to my answer.” - Henry David Thoreau using System; using System.ComponentModel; using System.Web; using System.Web.Security; using System.Web.UI; using System.Collections;namespace SessionTimeoutControl {[DefaultProperty("Text"...

users get error msg Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' when login to site
I was having timeout problems so copied the following to my webconfig and then error happened. Removed from webconfig and copied config to website but error msg persists. <appSettings>    <add key="DBConnection" value="server=xxx;uid=xxx;pwd=xxx;database=xxx;Connect Timeout=200; pooling='true'; Max Pool Size=200"/>    </appSettings> and <httpRuntime appRequestQueueLimit="100" executionTimeout="60000" />and in website properties anonymous access is ticked and iusr_xx selected with pword.her...

How to Get back to Same page from where it was redirected to Login page
Friends I am working on website which has several pages. My problem is as follows: I am having a page which has search option on it. When any unauthenticated person goes to this page and then inputs the data and clicks the search button. I display some brief information which is having a hyperlink. When this user clicks this information I check whether he is logged in or not. If he is logged in then I take him to the detail information and if he is not logged in then I redirect him to the login page. Now, my problem is, when this unauthenticated user logs in with his credentials ...

Get redirected to login page on each page request
Hi all,I  have used Role based authoritation in my application.I have three roles working in my application. I have used URL for the cookie. There is no problem in login in to the application. In the login page I have checked the role and based on that role the user get redirect to appropriate folders homepages. But once login into the system when user request any page from the same folder it automatically redirects to login page with the returnurl as the requested page.Thanks in advance.RegardsAshish I recomend to you to use Login Control. Another thing that you must to care is auth...

Login problem
Hi, First let me say that I am running an old unsupported version of AM (3.0.4). So, Novell support will not help me. The problem I am seeing is difficult to describe. When logging into my website, there is a chain of 3 protected web pages that get hit before the user lands on their homepage. Each page issues an HTTP redirect to go to the next one in the chain. In rare situations, a user will log in, go through the chain of pages (I can tell this from the Access Gateway logs), stop for literally minutes on the last page in the chain, and then get the IDP login page again, ev...

Redirecting from login page to different pages based on user roles
Hi,I have this requirement where the user on successful login has to be redirected to different pages based on the user role. For example: I have 3 pages - Sales,Recruiting and HR . When a user in the recruiter role logs in, he/she should be redirected to the recruiting page. How can I achieve this with DNN. Any suggestion/help is appreciated.Thanks,Trisha <qoute>Hi,I have this requirement where the user on successful login has to be redirected to different pages based on the user role. For example: I have 3 pages - Sales,Recruiting and HR . When a user in the recruiter role logs in,...

Denying access to a page to certain users redirects to login page
I have an administration page in my web application (which uses Forms Authentication) and I've protected it by making an authorization rule in the web.config for that particular page.  I've allowed one user access and denied all others by using the following:   </system.web> <location path="UserAdmin.aspx"> <system.web> <authorization> <allow users="AdminGuy" /> <deny users="*" /> </authorization> </system.web> </location> </configuration>  ...

How to redirect to Error page when user try to view a page which is not authorize for him
 I have a membership provider, and it's working okey I just need to know how can I redirect a user to an error page if he try to access a page which is not allowed for his status.Example : Normal user tries to enter Url page for CreateUserAccounts which is for admins only.  what about Server.transfer? u can create a 2 class that inherits from Page: "PageForAdmin" and "PageForLogged". override oninit method and if user haven't credential to access perform a server.redirect whereever you wont. If your page inherits form PageForAdimin or PageForLog...

Getting error "Login failed for user ''. The user is not associated with a trusted SQL Server connection" on trying to authenticate a user
Hi, I created aspnetdb on Sql Server 2005 and modified my web.config LocalSqlServer connection string to connect to the Sql Server instead of mdf file on Sql Server. When i click Log In button on my login control i am getting the error "Login failed for user ''. The user is not associated with a trusted SQL Server connection" But when i bind a radio button list or any control to select from aspnet_users or roles table data is displayed fine without any login errors (i am using aspnetdbConnectionString given below for binding data). Why is it happening only when i authenticate but...

Problem-Current Page getting redirected to Login Page after 1 hr.
Hi, We've got an issue with my ASP.NET 2.0 application. I've a method which is used to update a SQL Server database. The data will come from the third party DB server. This whole process will take approximately 1 hr & 30 mins to complete. After one hour the application is redirecting its current page to Login page, but the process is active in the background. We are using Application pool to run the application. We suspect this is due to restart of w3wp.exe (Worker process). We also made follwoing changes1. Recycling, Performance and Health tabs the DefaultAppPool of IIS.2.  web....

Redirect Users to Authentication Page then allow Login via Login Link?
Hi. I would like users to be directed to a page that displays a friendly message if they select a link to a page they do not have permission to view. I created a new page 'Authorization.aspx' then amended my Web.Config file as below.  Web.Config: <authentication mode="Forms"> <forms loginUrl="Authorized.aspx" timeout="60" defaultUrl="default.aspx" cookieless="AutoDetect"/> </authentication> My problem now is when users are transferred to the Authorization page and select the 'Login'...

Web resources about - Users get redirected to login page over and over with no error... - asp.net.security

Category:Wikipedia soft redirected project pages - Wikipedia, the free encyclopedia
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. , a non-profit organization.

Agile Artisans: You'll be redirected in just a moment...
Agile Artisans: You'll be redirected in just a moment...

Logged-Out Users Cannot See Facebook Pages’ Content; Redirected To News Feed After Login
Web surfers who are not logged in to Facebook and try to access pages on the social network are landing on the news feed once they input their ...

Flickr: The Help Forum: [locked, redirected] flickr now censoring all moderate and restricted photos ...
Flickr is almost certainly the best online photo management and sharing application in the world. Show off your favorite photos and videos to ...

Prank of the Day: Someone Bought Anti-Gay Group’s Expired Domain Name, Redirected It to Gay Porn
Anti-gay protesters were picketing outside the Carolina Rebellion rock festival at the Charlotte Motor Speedway earlier this month, so one of ...

Smartphones redirected to Candy Crush, porn sites automatically - Technology - Tech News and Latest New ...
IT IS truly a 21st century problem, but one with potentially very serious implications. It may have even happened to you.

Smartphones redirected to Candy Crush, porn sites automatically
IT IS truly a 21st century problem, but one with potentially very serious implications. It may have even happened to you.

Large chunk of Chinese internet traffic redirected to small Wyoming building
In one of the more bizarre twists in recent Internet memory, much of the Internet traffic in China was redirected to a mysterious company in ...

Attack on Dailymotion redirected visitors to exploits
Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed ...

$200m redirected from wages to childcare training
THE Abbott government will redirect about $200 million that was meant to go to lifting childcare wages to helping long day care services with ...

Resources last updated: 12/28/2015 3:08:12 PM