One of our ASP.NET web application goes to production for months. Last week, we received reports on a few computers , users can't log-in with their correct credentials. We asked them to have administrator control on a computer which problem happen. After make sure that their Browser security, Anti-spyware, Anti-Virus and anything might cause the problem. We have decided install a HTTP traffic monitor tool like IE Web Developer V2 to see what happening on this computer with our website
- The browser requests the specified login.aspx page
- The server responds with the login page
- The user fills in the login page and submits the form, so the browser POST the form back to the login page
- If the credentials are valid, the server responds with another "302 Page Moved" status, a Location header pointing to a protected.aspx, and a Set-Cookie header providing the encrypted Forms Authentication Ticket. Everything seem as it happen on working computer.
- Get redirected to login.aspx page again
Nothing potential caused the problems and we did frustrated after 5 days without able to location is that wrong in client side or server side after
- Replace authentication module by new one
- Setup brand new application to a sandbox
- Review Web server configurations
- And anything we can think to....
Really headache, huh ?
God bless us, when we almost ran out of time and received more bad report from our users, we found why. I'm glad to share you our report on this problems, due to rights have been removed
Introduction
- When user provide correct username/password, Concorde will send them a authentication cookie with Issued date and Expired Date, these date are in GMT time zone.
- In our application, the authentication cookies will be expired in next 30’, as described in timeout attribute of <Forms…> tag of Web.config.
- This cookies is very important in order to authenticate visitor in HTTP stateless environment
Problems
- User can’t login occasionally in few computers, reported seem to be Internet Explorer 6 problems, FireFox and IE 7 are seem to be fine.
- We have re-write code to replace authentication by another alternative methods, but not work.
- Tracing Raw HTTP with some HTTP traffic monitoring tools show that
o Login code work well
o Authentication cookie issued but Internet Explorer seem rejected it without a reason (surely Its not blocked by security policy), cookies appeared and lost ==> YES, this is problem.
- We have check to make sure nothing straight happen to
o Browser, Browser’s security and privacy setting
o Client’s antivirus, firewall, anti-spyware,…
o Evaluating setting of websites, domains, sub-domains, and whole IIS setting, still see nothing.
o Online community doesn’t help at all.
Root cause
- Hopelessly, but how about cookie’s expired time ?
- Follow that idea and found there are something wrong to Cookie expired date, We didn’t really that because the value are in GMT, when client machine are in GMT-7. Convert current time in Server Machine, Client Machine to GMT, It’s clearly that Expired Date of the cookie are in past, and of course that IE will rejected it because it was expired.
- That mean there are something wrong with clocks on Server or Client machine here, but if this bug is occasionally happen, then this client’s clock must be the one wrong, I check out and see that this machine doesn’t auto-syn with Internet time server, that’s is.
- Also noticed that might be this is Daylight-saving problem and found a useful paper at http://support.microsoft.com/kb/934413
Solution
- Change timeout value of authentication cookie from 30 minutes to 120 minutes by change timeout="120" <forms name="XYZAuthentication" protection="All" path="/" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="120" cookieless="UseCookies"/> in Web.config.
- Noticed that will not sure when clock on client machine faster than server machine above 2 hours (120 minutes), then ask end-users to
o Automatically synchronize with an Internet time server as attached screenshot
o Follow Microsoft’s Daylight Saving Time Help at http://support.microsoft.com/dst2007