Logged in users get logged out after some time

2019-03-16 10:46发布

问题:

I made a new MVC3 application and it's hosted on WinHost's basic plan.

The gist of the problem is, the app pool memory limits are reached and every session InProc is erased, meaning my users are logged out.

As per their documentation, I see this:

http://support.winhost.com/KB/a626/how-to-enable-aspnet-sql-server-session-on-your-web.aspx

Here is the contents of my web.config after following the steps outlined above:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=152368
  -->
<configuration>  
  <connectionStrings>    
    <!-- REMOVED FOR PRIVACY -->
  </connectionStrings>
  <appSettings>
    <add key="webpages:Version" value="1.0.0.0"/>
    <add key="ClientValidationEnabled" value="true"/>
    <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
  </appSettings>
  <system.web>    
    <sessionState mode="SQLServer"
                  allowCustomSqlDatabase="true"                  
                  cookieless="false"
                  timeout="2880"
                  sqlConnectionString="data Source='tcp:s407.winhost.com';database='DB_41_xx';user id='DB_11_xx_user'; password='xx';" />
    <trust level="Full"/>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      </assemblies>
    </compilation>
    <authentication mode="Forms">
      <forms loginUrl="~/" timeout="2880"/>
    </authentication>
    <membership>
      <providers>
        <clear/>
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
      </providers>
    </membership>
    <profile>
      <providers>
        <clear/>
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
      </providers>
    </profile>
    <roleManager enabled="false">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
      </providers>
    </roleManager>
    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers"/>
        <add namespace="System.Web.Mvc"/>
        <add namespace="System.Web.Mvc.Ajax"/>
        <add namespace="System.Web.Mvc.Html"/>
        <add namespace="System.Web.Routing"/>
        <add namespace="System.Web.WebPages"/>
      </namespaces>
    </pages>
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
        <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-4.0.8.0" newVersion="4.0.8.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

Here lies the problem:

My users are still getting logged of after some time. I thought using SQL for the session would prevent this issue.

Here is the relevant bit of code on how I'm loggin my users in:

[HttpPost]
public ActionResult Login(LogOnModel model)
{
    using (EfAccountRepository accountRepository = new EfAccountRepository())
    {
        if (accountRepository.ValidateCredentials(model.Email, model.Password))
        {
            FormsAuthentication.SetAuthCookie(model.Email, true);
            return RedirectToAction("Index", "Home");
        }    
    }

    ModelState.AddModelError("", "Your email or password is incorrect.");
    return View(model);
}

And here is some code I use to see if the user is logged in:

    public static MvcHtmlString AdminDashboardLink()
    {
        if (SecurityHelpers.UserIsPartOfCompany(HttpContext.Current))
        {
            string html = "<li><a href='/Admin'>ADMIN DASHBOARD</a></li>";
            return new MvcHtmlString(html);
        }
        else
        {
            return new MvcHtmlString("");
        }
    }

    public static bool UserIsPartOfCompany(HttpContext context)
    {
        if (!context.Request.IsAuthenticated)
            return false;

        using (EfAccountRepository accountRepository = new EfAccountRepository())
        {
            var loggedInUser = accountRepository.FindByEmail(context.User.Identity.Name);
            string[] userRoles = accountRepository.GetRolesForUser(loggedInUser.AccountId);

            return userRoles.Contains("Editor") || userRoles.Contains("Finance") || userRoles.Contains("Administrator");
        }            
    }

Any suggestions? Maybe my web.config is botched and this is causing issues. Maybe I also needed to remove something after I added in the session information?

回答1:

It is caused some times because the garbage collector cleans the machine key assigned to your application and assigns a new key that causes the looged in users to log out. Solution is to generate a machineKey for your application and place it in the web.config under system.web like

<system.web>
    <machineKey validationKey="###YOUR KEY HERE ###"
                decryptionKey="## decrypt key here ##" 
                validation="SHA1" decryption="AES" />
...
...

this link may help you http://aspnetresources.com/tools/machineKey



回答2:

Forms auth is not session related, at all. It has nothing to do with session state. Everything required is stored in the forms auth cookie.

Your timeout above is set to 2880, so 48 hours i.e. two days so I would expect timeouts to happen.