MSPSS: is there life after the helpdesk?

sharing solutions to uncommon IT problems

ASP.NET Ticket expiration and Forms timeout

leave a comment »


we have an internally developed .NET 2.0 CMS that makes heavy use of Forms authentication.

On a customer’s site we experienced random downtimes (~ twice per month) due to a maxed out pool of connections to the Database server (SQL Server).

Error : System.InvalidOperationException: Timeout expired.  The timeout period elapsed prior to obtaining a connection from the pool.  This may have occurred because all pooled connections were in use and max pool size was reached

When I looked at the IIS logs of the website, around the time of the crash, I could see repeated anonymous calls to pages from the same IP.

Initially I thought of a DoS attack, but then I realised that the same IP, not too long before had been used by an authenticated user.

Then I thought, the user must have a virus, but then I comparing it the other downtimes I saw that the users were different each time.

This is when I realized that out application event log was filled with this info message:

Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.

At this stage I started researching how forms authentication times out on .NET 2.0.

As far as I can see, there are 2 timeouts: the ticket expiration and the Forms timeout.

What happened in our site is that the ticket was set to 60 minutes and the Forms timeout (web.config) to 90.

If a user would try to browse in the span of time between minute 61 and 89, his/her browser would start an infinite loop trying to go back to the private homepage which it could not access as the ticket was expired.

This infinite loop caused the user to exhaust the website’s Database connections.

I even managed to reproduce the problem and get the infinite loop error (HTTP 310).

There are still unanswered questions like:

– Why did the website loop instead of kicking the user out?

– Why didn’t the ticket get renewed although in the web.config it is set to slidingExpiration=”true”

For the moment the Developers and I have agreed to set ticket expiration and forms timeout to the same value and the problem seems to have stopped. I hope I’ll be able to answer those other questions soon.

One more tip: according to my research, these are the only 2 values in .NET that allows you to extend a user authentication. Our customers use these CMS as collaboration tools and often demand to have it set to several hours. We did some testing and saw no drawbacks in having both set to 600 minutes.

One more thing: I’ve also asked our developers to make the ticket expiration and application variable (web.config) so that we can tweak it without having to edit the login page.




Written by zantoro

July 30, 2013 at 10:03 am

Posted in IIS

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: