Strange Session Restart

[na]

I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never be
able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:

Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />

<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

</system.web>

<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);

oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;

// Return to the originally requested URL.

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(strAccount
Name,PersistCookie.Checked);

}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}

 

[Stoitcho Goutsev \(100\) [C# MVP]]

Is it possible that you write some files in the bin folder? When bin folder
is changed the ASP.NET runtime recicles the worker process.
I have chased similar problem and the problem turn out to be exactly this.
There was third party control that was writing some file in the bin folder.

--

Stoitcho Goutsev (100) [C# MVP]

I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never be
able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:

Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />

<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

</system.web>

<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);

oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;

// Return to the originally requested URL.

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(strAccount
Name,PersistCookie.Checked);

}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}

 

[na]

Thanks for responding. There are no process that would write to the bin
directory. I investigated that if I don't use the form authentication,
and just use my own navigation, the session variables are kept. Also,
if I flattens the application's directory structure where everything
resides in the same directory, even with form authentication, the
session variables will be persisted. I begin to wonder there is some
sort of buggy logic in .Net Framework Session and Form Authenticaion.

 

[Stoitcho Goutsev \(100\) [C# MVP]]

You'd probably get better help in the ASP.NET groups