We are getting problem were users being kick out of the form and navigates to Login page even if the session has not timed out yet. very frustrating to the users…
It doesn’t happen all the time and not to all users. It looks like the Authentication Ticket is somewhat not valid but intermittently.
Is this a common problem with ASP.net forms Authentication???
Actually, the ticket may in fact be expiring. Have you actually tracked one to see if it is being renewed correctly? Here’s a link to an example of how to get at the ticket, test for sliding expirations, and renewing it.
Check the eventlog to see if your app recycles for some reason. If there’s a serious resource leak IIS may recycle the app pool to release memory. IIRC it is by default set to recycle if IIS uses more than 60% of RAM.
Yes, eventlog doesn’t show any recycling of IIS. Otherwise all of them will be kicked out. Only some users are experiencing this… and some of them after just logging in.
Is there any known issue of Anti -Virus in the client side corrupting the Auth Ticket???
Are you sure about that? Because the behavior you’re experiencing sounds to me that the application recycles! Do you have a machine key in your web.config? If not, you really should create one:
The machinekey is used to encrypt/decrypt the authentication tickets. When no machinekey is specified, ASP.NET will generate one. But when the application recycles, ASP.NET will generate a new one, resulting in the behavior your telling. Because the existing tickets are encrypted using the previous key, with the new key they cannot be decrypted anymore so ASP.NET will force you to login again. Specifying a machine key will solve this
There are two things you can do in order to resolve this issue. Well only If( you have your form authentication and other properties are set correctly).
Create a Machine Key in your web.config.
Change the App Pool Process Idle time to higher limit. By default its 20 minutes.
When the process stays idle for more than 20 minutes, it kills the worker process and as well as regenerate the machine key. While the existing cookie on client machine is encrypted with older machine key. As it wont be decrypt using the new machine, the user will be send to login page to re-enter the credentials and so does to create new persistent cookie.