+1-888-365-2779
Try Now
More in this section

Forums / Security / Sitefinity Community Edition Keeps Signing Out

Sitefinity Community Edition Keeps Signing Out

12 posts, 0 answered
  1. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    24 Sep 2009
    Link to this post
    Hello,

    I just installed Sitefinity Community Edition on my webhost's server.  Just FYI, the server has full trust enabled.  It's mostly working fine, but I keep getting logged out, even when i'm actively working.  I mean, I'll click a link, it'll work fine, then less than 5 seconds later I'll click another link and I get the login screen instead of what I was trying to access.  Once I login again, it'll work ok for a few more clicks before it happens again.  Do you have any recommendations?

    -Keith
  2. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    24 Sep 2009
    Link to this post
    For anyone else who has this issue, it seems that generating and hard coding a machineKey under System.Web in the web.config makes this problem go away.  I'm not in a webfarm so I can't think of any reason why this is required.  Hope this helps someone!

    -Keith
  3. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    24 Sep 2009
    Link to this post
    Hello Richardsonke,

    You could also take a look at Application Pool setting and check whether there are any memory limits. Thank you for sharing the way you have solved the problem at your end.

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  4. KEG
    KEG avatar
    5 posts
    Registered:
    12 Aug 2009
    26 Jan 2010
    Link to this post
    We are testing the trial edition of SiteFinity.  We are experiencing the same behavior that this post describes.  We log into the site using our Windows credentials and IE (logs us in without prompting).  But after a few clicks, the site displays the Login.aspx page and upon entering the credentials logs us in again.  Then again after a few clicks the same routine occurs.

    We are currently testing this on Windows XP, which doesn't allow us to modify the Application Pools like on Windows Server(s).

    Also, we'd like some assistance on how to properly setup our content managers with Windows Integrated security and allow anonymous users stay anonymous (and use any browser to access public pages without being prompted).

    I can post config files and screenshots if necessary.
  5. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    27 Jan 2010
    Link to this post
    Hello Keith Geringer,

    1. Have you tried to register the machine key?

    2. Check whether the login cookie ID is remove or changed somehow

    3. Make sure that your application pool does not get recycled which will force the login again.

    Sitefinity is supposed to work with FormsAuthentication with Network Service account for the application pool.

    Kind regards,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  6. KEG
    KEG avatar
    5 posts
    Registered:
    12 Aug 2009
    27 Jan 2010
    Link to this post
    No I had not tried the MachineKey.  However, from what I've read about the MachineKey, I cannot determine why this would solve this issue.  Here is a article that describes what the MachineKey is used for and it doesn't describe anything about Authentication.

    I saw the previous post.  From what I can determine the MachineKey protects data by encrypting it but it doesn't do anything (from what I can tell) to retain credentials that have already been passed and cached (via cookies).

    On 2., I'm not sure what your requesting I do.  What are you proposing here, what steps are you assuming I understand.

    3. As stated in my original post, I am running Sitefinity on WindowsXP, therefore, IIS Manager on XP does not provide a way to manage the application pools.  If this was on Windows Server, different story, we are in testing/evaluating the product so we have not deployed it on a server box yet.

    Finally,  We would like additional information on how Sitefinity should be configured so our internal users (content Managers) can be authenticated through the Windows domain, and our external anonymous users are never prompted for credentials.

    We are evaluating this product and need to work through these issues before we use it to implement our public facing website.


  7. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    27 Jan 2010
    Link to this post
    I have no idea why the app pool recycles so much with sitefinity on certain servers (I have the problem on one server, but not another), but the machinekey did fix the immediate issue for me (of getting logged out).  The reason why the machinekey is important is because the cookie that is created by the ASP.NET authentication provider is encrypted using the machinekey.  If the machine key changes (which it does when the app pool recycles, it seems), it can no longer decrypt the cookie, so it is thrown away.  This logs out the user.  There are many websites that will generate a machinekey for you, but here are a couple:

    http://aspnetresources.com/tools/keycreator.aspx
    http://www.orcsweb.com/articles/aspnetmachinekey.aspx

    Hope this helps.

    -Keith
  8. KEG
    KEG avatar
    5 posts
    Registered:
    12 Aug 2009
    27 Jan 2010
    Link to this post
    So, placing a generated machinekey in the web.config file ensures that the key is always the same vs. getting recreated when the app pool recycles?  Is this right?
  9. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    27 Jan 2010
    Link to this post
    I forgot to respond to the second part of your question (regarding integrated authentication).  Integrated authentication as of this version of Sitefinity seems to be a second-class citizen, but I've made it mostly work.  We are looking at authentication two different ways.  One is using the ASP.NET SQL membership provider (the default for sitefinity) and the other is using the active directory provider.  Using the SQL memebership provider seems to be the best option if there ever will be an instance where you can't use integrated authentication (for example, a disaster recover site that you'd prefer logging in automatically, but don't want to be dependent on active directory in case it goes down, or if non-ad users have to log in).  On the other hand, if ONLY active directory users will ever log in, you can change to the AD provider.  There is a help page that gives some info about the ad providers.  The role provider documentation seems good, but it seems light on the membership provider info (maybe i'm just missing it though).  If you have any questions about setting those up, just ask and I'll try to pull out an example.  I'd take a pause at this point and make sure that the membership provider work as you'd expect it to by logging into the login page with your AD credentials. 

    Once you know that the providers are working, we can start on the auto-login functionality.  Important thing to keep in mind from this point on is that this will not work in IIS 7+ with the Integrated Pipeline because you CANNOT use two different authencation methods in one site.  This has to be one of the stupidest restrictions in IIS 7+.  So, I know you're using XP now, so this is nothing you have to worry about, but when you move to a server OS, keep in mind that you will have to use the classic pipline (this is set in the app pools settings).  Ok, now, back to the steps.  If you previously turned on integrated authentication for the whole site, turn it off.  You want anonymous access only set.  I'm sure that you know that the login page is sitefinity/login.aspx.  Create two new files in the sitefinity directory, AutoLogin.aspx and AutoLogin.aspx.cs.  If you're using Visual Studio as your IDE, just create a new page called AutoLogin.aspx and it will create the cs file automatically.  The ASPX have nothing of value in it.  Just the basic template:

    <%@ Page Language="C#" AutoEventWireup="true" CodeFile="AutoLogin.aspx.cs" Inherits="Sitefinity_AutoLogin" %> 
     
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
     
    <html xmlns="http://www.w3.org/1999/xhtml">  
    <head runat="server">  
        <title></title>  
    </head> 
    <body> 
        <form id="form1" runat="server">  
        <div> 
          
        </div> 
        </form> 
    </body> 
    </html> 

    The codebehind is where the magic is done:

    1 using System;  
    2 using System.Collections.Generic;  
    3 using System.Linq;  
    4 using System.Web;  
    5 using System.Web.UI;  
    6 using System.Web.UI.WebControls;  
    7 using System.Web.Security;  
    8 using Telerik.Security;  
    9 using Telerik.Personalization;  
    10  
    11 public partial class Sitefinity_AutoLogin : System.Web.UI.Page  
    12 {  
    13     protected void Page_Load(object sender, EventArgs e)  
    14     {  
    15         String loginname;  
    16         loginname = Request.ServerVariables["logon_user"];  
    17         if (!string.IsNullOrEmpty(loginname) && loginname.ToLower().Contains("YOURDOMAINNAME\\"))  
    18         {  
    19             MembershipUser user = UserManager.Default.GetUser(loginname , false);  
    20             this.Response.Cookies.Add(FormsAuthentication.GetAuthCookie(user.UserName, true));  
    21             HttpCookie cookie = this.Response.Cookies[FormsAuthentication.FormsCookieName];  
    22             UserManager.Default.SetAuthenticationCookie(cookie);  
    23  
    24             string redirectUrl = Request.QueryString["ReturnUrl"];  
    25  
    26             if (string.IsNullOrEmpty(redirectUrl))  
    27             {  
    28                 string loggedInUser = Request.ServerVariables["logon_user"];  
    29  
    30                 redirectUrl = PersonalizationManager.DefaultInstance.GetGlobalValue<string>(loggedInUser, GlobalSettingConstants.StartPage);  
    31  
    32                 if (string.IsNullOrEmpty(redirectUrl))  
    33                 {  
    34                     redirectUrl = "Admin/Default.aspx";  
    35                 }  
    36             }  
    37             else 
    38             {  
    39                 redirectUrl = HttpUtility.UrlDecode(redirectUrl);  
    40             }  
    41  
    42             this.Page.Response.Redirect(redirectUrl, true);  
    43         }  
    44         else 
    45         {  
    46             this.Page.Response.Redirect("~/Sitefinity/Login.aspx?ReturnURL=" + Request.QueryString["ReturnURL"]);  
    47         }  
    48     }  
    49

    You will need to make one change to this code.  On line 17, replace YOURDOMAINHERE with the name of your company's domain.  Do not remove the two slashes at the end.  Now, in IIS, for THIS PAGE ONLY, disable anonymous access and enable integrated authentication.  Now, you have two options on how to make this work.  If you want people to be able to log in both manually and automatically, add a link on Login.aspx to AutoLogin.aspx that they can click to avoid having to type in their credentials.  Alternatively, if you never need to log in manually, edit Login.aspx.cs and add

    this.Page.Response.Redirect("AutoLogin.aspx"); 

    as the first line within the Page_Load function.  This will automatically redirect them to the autologin page.  If in the future you want both manual and auto login, just remove this line.

    Please tell me if you have any questions.  I figured this out through trial and error, so this may to be the 100% best way, but it seems to work for us.  Telerik, please tell me if there is a better way to do this or if my code has any problems.  Thanks!

    -Keith
  10. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    27 Jan 2010
    Link to this post
    Yes, you are correct about why the machinekey is needed.

    -Keith
  11. KEG
    KEG avatar
    5 posts
    Registered:
    12 Aug 2009
    27 Jan 2010
    Link to this post
    Keith,

    Wow, thanks for the post.  This is the best help we've had so far.  I agree with you on the lack of documentation in the developers manual.  I have not found a well rounded set of information there either.  Some things seem to be documented and other aspects severely lacking.

    Anyway thanks again for your detailed post, I'm sure it will solve our issues with integrated security for now.

    -Keith
  12. Richardsonke
    Richardsonke avatar
    10 posts
    Registered:
    10 Jul 2007
    27 Jan 2010
    Link to this post
    Happy to help.  Us Keiths have to stick together ;-)  Hopefully Telerik makes this easier in the next version of Sitefinity.  A built-in autologin functionality would be very appreciated.  Anyway, tell me if you have any questions or run into any problems.

    -Keith
Register for webinar
12 posts, 0 answered