We have been experiencing a session reset problem. At this point, the problem described below has both me and the web host completely baffled.
We continue to receive letters from angry visitors every day who are browsing around the secured area of our web site, and then get booted back to the login page because their session was lost. It's about 5 minutes or so, and then everyone gets booted back to have to login again.
I've both ensured the web host set the session timeout to 30 minutes, and have also made the following entry in the webconfig file:
<sessionState timeout="30" />
Sometimes though, you can sit on a page, do nothing, and then refresh after over 3 minutes and no problem. Other times, with the same page, if you refresh just after 30 seconds, you will get routed back to the login page.
I've contacted the web host and they provided the following information:
"I looked into the issue, and sure enough, your sessions were expiring on me every 5 or so minutes. I checked both settings in IIS and they are set to values 20 minutes and above. I also put you in an isolated application pool, thinking that may be the issue, but to no avail. At this point I suspect it may be a setting you have in your code, and it looks to be pre-compiled."
"I was able to verify that the ASP.NET_SessionId cookie does NOT change when this happens. Even after a re-login, the cookie says the same. This means that the session is not truly getting reset, otherwise it would have a new cookie with a new randomly generated value. Also, when logged onto the server I can see that the PID of the app pool does not change, either. This indicates that the app pool is not failing."
"It seems the application relies on a .NET assembly called WebXelAuthentication to handle logins. If, for any reason, this assembly erroneously determines the user is not logged in you get redirected to a login page. This tells me all the login logic is centralized to this component."
We are wondering if any experts here had received any similar such issues and if you know of a fix or patch for this session reset. We have no problem at this point even switching providers and using the regular .NET login system. However, it seems so much more complicated than it's worth if you already have a database of users set up. All we need is simple cookie username/password validation against our custom MS SQL server database, and a simple ability to obtain a forgotten password to an email address. That's it. We do not need nor want a registration 'wizard' or other item, as we handle new membership entries into the SQL database via manual means.
Just FYI, we have contacted the WebXelAuthentication vendor and they indicate their product uses regular asp.net session state period and unable to troubleshoot beyond that.
Any info on this particular problem would be greatly appreciated.
Thanks in advance,
NOTE: The general language we use is VB.NET, using a MS SQL 2005 database for the login information.