Skip to content
This repository has been archived by the owner. It is now read-only.

Random Authentication Sign Outs in ASP.NET Core 2.1 #2084

Closed
ben-foster-rightio opened this issue Nov 28, 2018 · 4 comments
Closed

Random Authentication Sign Outs in ASP.NET Core 2.1 #2084

ben-foster-rightio opened this issue Nov 28, 2018 · 4 comments

Comments

@ben-foster-rightio
Copy link

@ben-foster-rightio ben-foster-rightio commented Nov 28, 2018

I'm receiving user complaints saying they are being directed to the login screen randomly when it has only been a minute or so since they clicked a button that would have sent a message to the server side.

Here is a log of one of the errors.
[INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 1473.4897ms (afa2e885) [INF] Request finished in 1474.816ms 200 application/json; charset=utf-8 (791a596a) [INF] Request starting HTTP/1.1 GET http://MyAppmanager.MyApp.co.uk/api/AgreementAPI/GetAgreements?searchTerm=1543309403289 (ca22a1cb) [INF] Entity Framework Core "2.1.3-rtm-32065" initialized '"IdentityDbContext"' using provider '"Microsoft.EntityFrameworkCore.SqlServer"' with options: "None" (9958f5bb) [INF] Executed DbCommand ("1"ms) [Parameters=["@__get_Item_0='?' (DbType = Int32)"], CommandType='Text', CommandTimeout='30']" ""SELECT TOP(1) [e].[UserId], [e].[AcquisitionTeamId], [e].[AreaNumber], [e].[AuthorisationPassword], [e].[AutoBooking], [e].[AutoUpdateSoftware], [e].[AvayaFullName], [e].[AvayaName], [e].[AvaysExt], [e].[CanSellAgreement], [e].[ChangePassword], [e].[CompanyId], [e].[DateEnded], [e].[DateStarted], [e].[DebugLogs], [e].[DefaultQuotes], [e].[DepartmentId], [e].[EmailAddress], [e].[Forename], [e].[HomeServeEmployee], [e].[Initials], [e].[IsPurchaseOrderReviewer], [e].[JobTitle], [e].[LogonName], [e].[MaxLogins], [e].[Message], [e].[Name], [e].[Notes], [e].[PartTime], [e].[Password], [e].[ReportDDI], [e].[RoleId], [e].[Shift], [e].[ShowEngineerAlert], [e].[Surname], [e].[TerminationId], [e].[TrackFastVersion], [e].[UnreadMessage], [e].[VisibleOnChronicle] FROM [Users] AS [e] WHERE [e].[UserId] = @__get_Item_0" (0723d8ff) [INF] AuthenticationScheme: "Identity.Application" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.External" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.TwoFactorUserId" signed out. (d3f50c8d) **[INF] "Identity.Application" was not authenticated. Failure message: "No principal." (48071232)** [INF] Route matched with "{action = \"GetAgreements\", controller = \"AgreementAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" (a44c0341) [INF] Authorization failed. (b15dd539) [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'. (8b6446cb) [INF] Executing ChallengeResult with authentication schemes ([]). (f3dca807) [INF] AuthenticationScheme: "Identity.Application" was challenged. (d45f1f38) [INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 0.3846ms (afa2e885) [INF] Request finished in 9.3835ms 401 (791a596a) [INF] Request starting HTTP/1.1 POST http://MyAppmanager.MyApp.co.uk/API/CustomerAPI/WriteToLog/ application/x-www-form-urlencoded; charset=UTF-8 61 (ca22a1cb) [INF] Route matched with "{action = \"WriteToLog\", controller = \"CustomerAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" (a44c0341) [INF] Executing action method "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" with arguments (["ERROR: WebAPI call is not authenticated", "error"]) - Validation state: Valid (4e3479ed) [ERR] Client log: ERROR: WebAPI call is not authenticated (d4244074)

Startup File
public void ConfigureServices(IServiceCollection services) { services.AddScoped<IRFDbRepository, RFDbRepository>(); var connection = _configuration.GetConnectionString("RFDbConnection"); services.Configure<ConnectionStrings>(_configuration.GetSection("ConnectionStrings")); services.AddDbContext<RFDbContext>(options => options.UseSqlServer(connection)); services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection)); services.AddAutoMapper(); services.AddIdentity<User, UserRole>().AddDefaultTokenProviders(); services.AddTransient<IUserStore<User>, UserStore>(); services.AddTransient<IRoleStore<UserRole>, RoleStore>(); services.ConfigureApplicationCookie(options => { options.LoginPath = "/Identity/Account/Login"; options.LogoutPath = "/Identity/Account/Logout"; options.ExpireTimeSpan = TimeSpan.FromMinutes(60); options.SlidingExpiration = true; }); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1).AddRazorPagesOptions(options => { options.AllowAreas = true; options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout"); }); }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IRFDbRepository rFDbRepository) { loggerFactory.AddFile(_configuration.GetValue<string>("Logging:LogFile")); app.UseStaticFiles(); app.UseAuthentication(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapRoute( name: "ActionApi", template: "api/{controller}/{action}/{id?}"); }); rFDbRepository.TestConnection(); }

Also I've setup the app pool as below:
image

@ben-foster-rightio
Copy link
Author

@ben-foster-rightio ben-foster-rightio commented Nov 28, 2018

I do have a custom implementation of the UserStore and RoleStore, but I don't know where to begin in debugging this.

@ben-foster-rightio
Copy link
Author

@ben-foster-rightio ben-foster-rightio commented Nov 29, 2018

I've finally worked out what this is. It's to do with cookie validation checking being run every 30 mins by default. It's a fault in asp.net core 2.1 and should be fixed in 2.2.
See this thread for further details.
https://stackoverflow.com/questions/53450844/session-logged-out-too-soon

@blowdart
Copy link
Member

@blowdart blowdart commented Nov 29, 2018

The interval at which is runs is configurable. Is your problem that when it checks it will always lock you out? If that is the case are you implementing a security stamp?

You remove the validator altogether by removing the event in the cookie options.

@blowdart
Copy link
Member

@blowdart blowdart commented Dec 6, 2018

We're closing this issue as the behaviour discussed seems to be by design.

@blowdart blowdart closed this Dec 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants