New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Random Authentication Sign Outs in ASP.NET Core 2.1 #2084

Closed
Rightio-Limited opened this Issue Nov 28, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@Rightio-Limited

Rightio-Limited commented Nov 28, 2018

I'm receiving user complaints saying they are being directed to the login screen randomly when it has only been a minute or so since they clicked a button that would have sent a message to the server side.

Here is a log of one of the errors.
[INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 1473.4897ms (afa2e885) [INF] Request finished in 1474.816ms 200 application/json; charset=utf-8 (791a596a) [INF] Request starting HTTP/1.1 GET http://MyAppmanager.MyApp.co.uk/api/AgreementAPI/GetAgreements?searchTerm=1543309403289 (ca22a1cb) [INF] Entity Framework Core "2.1.3-rtm-32065" initialized '"IdentityDbContext"' using provider '"Microsoft.EntityFrameworkCore.SqlServer"' with options: "None" (9958f5bb) [INF] Executed DbCommand ("1"ms) [Parameters=["@__get_Item_0='?' (DbType = Int32)"], CommandType='Text', CommandTimeout='30']" ""SELECT TOP(1) [e].[UserId], [e].[AcquisitionTeamId], [e].[AreaNumber], [e].[AuthorisationPassword], [e].[AutoBooking], [e].[AutoUpdateSoftware], [e].[AvayaFullName], [e].[AvayaName], [e].[AvaysExt], [e].[CanSellAgreement], [e].[ChangePassword], [e].[CompanyId], [e].[DateEnded], [e].[DateStarted], [e].[DebugLogs], [e].[DefaultQuotes], [e].[DepartmentId], [e].[EmailAddress], [e].[Forename], [e].[HomeServeEmployee], [e].[Initials], [e].[IsPurchaseOrderReviewer], [e].[JobTitle], [e].[LogonName], [e].[MaxLogins], [e].[Message], [e].[Name], [e].[Notes], [e].[PartTime], [e].[Password], [e].[ReportDDI], [e].[RoleId], [e].[Shift], [e].[ShowEngineerAlert], [e].[Surname], [e].[TerminationId], [e].[TrackFastVersion], [e].[UnreadMessage], [e].[VisibleOnChronicle] FROM [Users] AS [e] WHERE [e].[UserId] = @__get_Item_0" (0723d8ff) [INF] AuthenticationScheme: "Identity.Application" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.External" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.TwoFactorUserId" signed out. (d3f50c8d) **[INF] "Identity.Application" was not authenticated. Failure message: "No principal." (48071232)** [INF] Route matched with "{action = \"GetAgreements\", controller = \"AgreementAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" (a44c0341) [INF] Authorization failed. (b15dd539) [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'. (8b6446cb) [INF] Executing ChallengeResult with authentication schemes ([]). (f3dca807) [INF] AuthenticationScheme: "Identity.Application" was challenged. (d45f1f38) [INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 0.3846ms (afa2e885) [INF] Request finished in 9.3835ms 401 (791a596a) [INF] Request starting HTTP/1.1 POST http://MyAppmanager.MyApp.co.uk/API/CustomerAPI/WriteToLog/ application/x-www-form-urlencoded; charset=UTF-8 61 (ca22a1cb) [INF] Route matched with "{action = \"WriteToLog\", controller = \"CustomerAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" (a44c0341) [INF] Executing action method "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" with arguments (["ERROR: WebAPI call is not authenticated", "error"]) - Validation state: Valid (4e3479ed) [ERR] Client log: ERROR: WebAPI call is not authenticated (d4244074)

Startup File
public void ConfigureServices(IServiceCollection services) { services.AddScoped<IRFDbRepository, RFDbRepository>(); var connection = _configuration.GetConnectionString("RFDbConnection"); services.Configure<ConnectionStrings>(_configuration.GetSection("ConnectionStrings")); services.AddDbContext<RFDbContext>(options => options.UseSqlServer(connection)); services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection)); services.AddAutoMapper(); services.AddIdentity<User, UserRole>().AddDefaultTokenProviders(); services.AddTransient<IUserStore<User>, UserStore>(); services.AddTransient<IRoleStore<UserRole>, RoleStore>(); services.ConfigureApplicationCookie(options => { options.LoginPath = "/Identity/Account/Login"; options.LogoutPath = "/Identity/Account/Logout"; options.ExpireTimeSpan = TimeSpan.FromMinutes(60); options.SlidingExpiration = true; }); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1).AddRazorPagesOptions(options => { options.AllowAreas = true; options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout"); }); }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IRFDbRepository rFDbRepository) { loggerFactory.AddFile(_configuration.GetValue<string>("Logging:LogFile")); app.UseStaticFiles(); app.UseAuthentication(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapRoute( name: "ActionApi", template: "api/{controller}/{action}/{id?}"); }); rFDbRepository.TestConnection(); }

Also I've setup the app pool as below:
image

@Rightio-Limited

This comment has been minimized.

Rightio-Limited commented Nov 28, 2018

I do have a custom implementation of the UserStore and RoleStore, but I don't know where to begin in debugging this.

@Rightio-Limited

This comment has been minimized.

Rightio-Limited commented Nov 29, 2018

I've finally worked out what this is. It's to do with cookie validation checking being run every 30 mins by default. It's a fault in asp.net core 2.1 and should be fixed in 2.2.
See this thread for further details.
https://stackoverflow.com/questions/53450844/session-logged-out-too-soon

@blowdart

This comment has been minimized.

Member

blowdart commented Nov 29, 2018

The interval at which is runs is configurable. Is your problem that when it checks it will always lock you out? If that is the case are you implementing a security stamp?

You remove the validator altogether by removing the event in the cookie options.

@blowdart

This comment has been minimized.

Member

blowdart commented Dec 6, 2018

We're closing this issue as the behaviour discussed seems to be by design.

@blowdart blowdart closed this Dec 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment