I have an MVC 2.0 application that requires a persistent login(if chosen) using forms authentication which is load balanced between two servers.
my webconfig(on both servers) looks like so:
<authentication mode="Forms">
<forms name="MA_AuthCookie" loginUrl="~/Account/LogOn" timeout="86400" protection="All" path="/" slidingExpiration="false"/>
</authentication>
<machineKey validationKey="*************180C6E1FD3E9338B78ACD83CA0A99F27B985AF97871BDBA43E1426DB8FA82F811779BFB779D1E90EB9BCCDE71D3F0458392736B17D3"
decryptionKey="*****************D72F47EF06B1F594CAAF1BEA311555A9D8E8"
validation="SHA1"
decryption="AES" />
timeout is set for 60 days and i am using the following script to set the cookie on login.
FormsAuthentication.SetAuthCookie(userName, true);
All works great or so it seems across both servers until i come back an hour or so later with no activity and my auth cookie is gone. I am not sure this has something to do with the worker process on either load balanced server for the application because i can go directly to one of the servers, login and my login is persisted as it should be. Also, through my findings the fact that i am setting a machine validation key is supposed to get around the issue and recreation of keys when the worker process runs. There must be something i am missing. If anyone can point me in the right direction it would be very appreciated.
Thanks,
Billy
Looks like i failed to realize the obvious. Although it seemed as though the login would persist when closing the browser down sometimes and sometimes not the setting to expire cookies at the end of the session was checked on my firefox browser. All is good after making that change.
Related
So my company is using Jasper Server 6 and we are running into this problem of editing a very big domain (lots of tables). If I choose Edit with Domain Designer…, the designer will open up, but as soon as I click any tab (table, or derived table,...), I get the "The connection was reset" error page. On some of our clients, we got kick out of the session and had to login again.
What is the cause of this and how can I fix it? Thanks.
You will need to change the value of maxPostSize of the Connector element in the conf/server.xml file in the Tomcat home directory. The default value is 2MB and you can either increase it or set to "0" or "-1" depending on your version of Tomcat to disable the POST size limit.
Per Jaspersoft Community forum:
https://community.jaspersoft.com/wiki/while-navigating-domain-designer-tabs-large-domain-it-redirects-login-page
Issue Description
A customer was attempting to edit a huge domain, and when browsing through their loadbalancer or proxy the browser would hang, and when bypassing the proxy (hitting JRS directly) the browser would redirect to the login page. Analysis of the jasperserver.log showed an error from CsrfGuard:
error:required token is missing from the request
Resolution
The error means that the OWASP_CSRFTOKEN is being lost from the http POST which occurs while browsing from one tab to another in the domain designer. From viewing example POSTS of other domains we can see the OWASP_CSRFTOKEN token is one of the last items added to the http POST body. Since there is no proxy or loadbalancer the primary way for the OWASP_CSRFTOKEN to be lost is due to tomcat truncating the end of the POST body due to it's maxPostSize. In Tomcat's server.xml, edit the Connector element, adding a value larger than the total POST size, for example:
<Connector port="8070"
protocol="HTTP/1.1"
connectionTimeout="20000"
maxPostSize="20000000"
redirectPort="8443" />
I have zen-cart's demo site implemented. Customers who are register to my site or have login to my zen-cart site's session time-out is around 1 hour.
Now main question is, I want to decrease my zen-cart customer login session time-out to 10 min. After ideal 10 min customer gets logoff by session time-out.
I have tried one zen-cart's plugin for custom time-out, but it will not get affected. So can any one help me out to solve this issue?
In your sessions.php file Zencart grabs the 'session.gc_maxlifetime' from the php.ini file. If you want to change it you should be able to simply define('SESSION_TIMEOUT_CATALOG',16440);or change the session life var. $SESS_LIFE = 12440;
edit : this worked for me, just change this #ini_set('session.gc_maxlifetime', 10440);
includes/functions/sessions.php
On the customer side, Zen Cart doesn't impose a specific session duration. That's handled by your server's PHP configuration.
Change your php.ini setting for session.gc_maxlifetime to whatever you desire it to be.
I'm new to Fiddler and have run across something that seems strange to me. If I select an entry and then click Replay, I get different behavior from when I drag an entry into the Composer window and click Execute.
Should the different behavior between these two methods of re-making a request be different?
Note: I called the second method "cloning" a request because the Composer window says "You can clone a prior request by dragging and dropping a session from the Web Sessions list)."
What is the "different behavior" specifically?
The two operations you describe should behave the same way unless the server returns a redirect or an authentication challenge, in which case preferences will control whether Fiddler automatically authenticates and/or follows the redirect.
Please feel free to email me (Help > Send Feedback) details and/or screenshots of the difference you see.
I have a GWT application on Jetty. After configuring different accessing ports etc, user can start this application many time (for example 2 times) on same server machine. We noticed when accessing those two different instances from same browser, they interfece each, e.g, one kicks other session out.
If accessing from different browser, e.g, ie and firefox or chrome, there is no problem.
Of course, there is no problem if two applications are running from different servers.
Does anyone see same behavior before? How to fix this problem?
If your server uses cookies to maintain sessions, and both browser instances share the same set of cookies, then when the second one logs in, it must kick the first one out - how can the same cookie have more then one value?
Options to try:
don't use cookies to track sessions
don't require the second tab/window to log in, but recognize that it is already logged in
don't support the same user pretending to be two users at one time
JSESSIONID is used for protection from cross-site request forgery attacks. Check how you set this cookie. Typically, you would set it like this:
<script type="text/javascript">
var info = "<%=XsrfTokenUtil.getToken(request.getSession().getId()) %>";
</script>
If you do it this way, you should get the same token (value) for each browser window, as long as you have a single session. Try to find out why you set a new value every time.
Also, if you need an ability to have multiple windows, you can allow duplicate cookies in XsrfTokenUtil:
final Cookie sessionCookie = getCookie(cookies, "JSESSIONID", false);
Replace false with true to allow duplicate cookies.
I have an web app in IIS 7.5 with its own AppPool using .net 4.
I want to use the feature of having anonymous access as the app pool identity - which is easily configured in a GUI via the inetmgr snapin.
Is there any way do this programmatically, for instance through web.config?
I've looked around and it appears that the anonymousAuthentication element does the trick, but it does not explain how to specify the app pool user in any significant way. I've tried setting my anon user to 'IIS APPPOOL/[AppPoolName]' as seems to be suggested here, with no success.
Any suggestions to how this is supposed to be configured?
Taking a closer look at that link: http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
'If you leave this value blank (that is, username=""), Anonymous authentication uses the application pool identity to authenticate anonymous users'
For the lazy (me)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication userName="" />
</authentication>
</security>
</system.webServer>
Muluken anonymous pool to examination any kinds of question to my followers . So try to give answer if you are good in participation