Problem with Forms Authentication cookies

[Scott]

Hi,

We're having an issue with Forms Authentication cookies being treated as
expired / invalid, and being deleted. This is causing our intranet users a
great deal of pain

- Running IIS 5.0 on Win2k Server
- Forms Authentication is setup with a timeout value of 45 minutes in
web.config
- Session timeout is set to 45 minutes in web.config

In viewing the IIS logs, we an see a request for an aspx page (a POST) with
a response of 302. The log shows the cookies sent in with the request -
only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
which we named CSSAuth.

The next request coming is is a GET request for the Forms Authentication
login aspx page. The query string contains the url of the originally
requested page. In this request there is only one cookie - the
ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.

In looking at the logs for NORMAL expired authentication redirects these
requests always contain the CSSAuth cookie, even though it is ezpired. In
the cases where users get redirected to login prior to authentication
timeout, the cookie is missing from the GET request issued in response to
the redirect.

Why is this authentication ticket cookie seen as invalid prior to timeout?
Why is this cookie being removed? What piece of code is responsible for
doing all this?

Scott L.

[Rajesh.V]

We had the same problem, after lot of hunting, we found, running Antivirus
software causes the web.config, global.asax or the dll to be touched. The
causes the workerprocess to recycle and u loose all session. And this
happens randomly, and sessions dont last beyond 3 mins.

The best solution is using out of process session management. That is in an
sql server.

"Scott" <ScottLorenz@UniversalComputerSys.Com> wrote in message
news:OtxKLh1kDHA.2500@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> We're having an issue with Forms Authentication cookies being treated as
> expired / invalid, and being deleted. This is causing our intranet users a
> great deal of pain
>
> - Running IIS 5.0 on Win2k Server
> - Forms Authentication is setup with a timeout value of 45 minutes in
> web.config
> - Session timeout is set to 45 minutes in web.config
>
> In viewing the IIS logs, we an see a request for an aspx page (a POST)

with

> a response of 302. The log shows the cookies sent in with the request -
> only 2, the ASP.NET_SessionID cookie and the Forms Authentication cookie,
> which we named CSSAuth.
>
> The next request coming is is a GET request for the Forms Authentication
> login aspx page. The query string contains the url of the originally
> requested page. In this request there is only one cookie - the
> ASP.NET_SessionID cookie. The CSSAuth cooke is NOT THERE in this request.
>
> In looking at the logs for NORMAL expired authentication redirects these
> requests always contain the CSSAuth cookie, even though it is ezpired.

In

> the cases where users get redirected to login prior to authentication
> timeout, the cookie is missing from the GET request issued in response to
> the redirect.
>
> Why is this authentication ticket cookie seen as invalid prior to timeout?
> Why is this cookie being removed? What piece of code is responsible for
> doing all this?
>
> Scott L.
>
>