Recently I experienced a strange problem with custom login functionality based on Forms Authentication method. The visible issue is that sometimes I login successfully to my application, sometimes - I can’t. In all the cases the same login details are used. When I reviewed the Event Log I found the following error:
Event viewer error:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 30/08/2006 15:43:33
Event time (UTC): 30/08/2006 12:43:33
Event ID: 8bffe75e7ff344c78fe1af8c1124e217
Event sequence: 894
Event occurrence: 388
Event detail code: 50201
Below you can find a short explanation and the solution how to prevent this behaviour.
In fact the application uses “machinekey” definition to generate the authentication cookie. If “machinekey” properties are not initialized in the web.config file, the application uses different values on the different servers. This way when you have been logged in on server X and then try to login on server Y it may happen to use the cookie from server X which is different from the one that server Y uses. Then you cannot login.
Therefore machinekey properties must be always defined for applications that are moved from server to server. Here is an example of “machinekey” definition:
You can generate it by using this .exe file: http://omar.mvps.org/pics/SecurityKey.exe
Here is how you can run it: SecurityKey.exe 24 64
You can read more about this problem and its solution in the following article: http://msmvps.com/blogs/omar/archive/2006/08/20/108307.aspx
asp.net, fail login, forms authentication, invalid ticket machine key
The problem is in difference in default values for slidingExpiration property in forms tag.
Important!
For ASP.NET 1.1. slidingExpiration = true by default
whereas
For ASP.NET 2.0 slidingExpiration = false by default
Thanks for your solution, Alexander. It is undoubtedly the easier one.
According to the MSDN:
“slidingExpiration is set to ‘true’ to enforce a sliding session lifetime. This means that the timeout is reset after each request to your application.”
(http://msdn2.microsoft.com/en-US/library/ms998347.aspx)
I haven’t checked it across the servers but I think it should work without problems.
very interesting, but I don’t agree with you
Idetrorce
Hi!
I would like improve my SQL knowledge.
I red that many SQL books and want to
read more about SQL for my position as oracle database manager.
What would you recommend?
Thanks,
Werutz
Hi Werutz,
Unfortunately I’m not using Oracle and cannot recommend you any learning resources.
Cheers
Hi,
So to clarify, is slidingExpiration supposed to be set to true on both ASP1.1 and ASP2.0 configs or is it supposed to be left as the defaults (true in 1.1, false in 2.0)??
Thanks
What fix the problem for me was the following. I was double authenticating users. Once I removed the commented line below I stopped getting the error. Farm or no Farm.
If System.Web.Security.Membership.ValidateUser(_txtUsername.Text, _txtPassword.Text) Then
‘*** Remove Line FormsAuthentication.Authenticate(_txtUsername.Text, _txtPassword.Text)
If _chkRemember.Checked Then
FormsAuthentication.RedirectFromLoginPage(_txtUsername.Text, True)
Else
FormsAuthentication.RedirectFromLoginPage(_txtUsername.Text, False)
End If
Removed this line:
FormsAuthentication.Authenticate(_txtUsername.Text, _txtPassword.Text)