Vulnerability in EPiServer.Forms
We have a problem with our editors being asked to login agan to the Episerver CMS editor. The problem occurs if they don't have any action on the site for 5-10 minutes.
We are running on a site with two frontend servers, so it is very likely that they suddenly hit the oter frontend server after the 5-10 minutes without activity. At least the problem went away, when we disabled one of the frontend servers in the loadbalancer.
I have tried to activate SQL Server session state, in case the session was somehow involved with the login. That din't fix the problem.
Do you have any suggestions as to what i can look for?
I guess you are on to the root cause of the problem, load balancing...
Share session / sticky sessions are a good first step.
Same machinekey is another...
Anyone got more?
Machine key sounded very likely, since the frontend servers are most likely based on the same virtual machine image. I have tried to generate keys on all frontend servers using IIS manager. Unfortunately it didn't seem to change anything. I'm still asked to login again after an idle period. Could there be an idle timer in Episerver that I'm missing? Or a setting in web.config? I have tried to set the session timeout to 720 minutes.
I would prefere not to use session affinity, if I can.
Configured remote events for triggering cache updates etc? Seems unlikely that it's that but...you'll need it anyway so...
What kind of authentication are you using? Owin or the ASP.NET providers? If the latter you have to set the cookie expiration/timeout:
<forms name=".EPiServerLogin" loginUrl="Login.aspx" timeout="50000000" defaultUrl="~/" />
The max time is 50000000, I think.
Thank you very much for your input.
I have configured remove events using UDP, however I have a feeling that they are not working properly. That is something else I need to look at soon :) We are in the early stages of our project, and so far, it is only the QA environment we are wokring on.
We are using forms authentication at this point. It will most likely change later, but right now we use the default authentication mechanism that come with Commerce. The timeout is currently set to 120, which I expect to be 120 minutes.
The problem turned out to be the machine keys after all.
A colleague of mine is apparantly better at reading than I am. I had just generated random keys on each server, but he found out that we should use the same machine key on all Episerver servers. After that fix, the problem went away.
Again thank you for your help and good suggestions.
Sweet! Load balancing can sure cause some nasty bugs :)