Authentication cookies keep coming back from the dead :(

Rita Mikusch asked on May 28, 2019 19:27

I have two instances of kentico 11 with the same website running on two different servers. One is a test site, and the other is the live site.

I have a page on the test site that requires authentication to view. When I view that page first thing in the morning, it asks me for a password, and after logging in I can view it ... just as I would expect. The problem I'm having with this test site is ... those authentication cookies JUST WON'T GO AWAY!!

I can delete the cookies in the browser, close a private browser window, close the browser, log out ... no matter what I do, after I go back to that "page requiring authentication", I'm STILL AUTHENTICATED. And yeah, when I check for the cookies, they're back again.

The live version of that website works normally ... authentication works normally, and deleting cookies/closing a private browser window/logging out results in me NO LONGER being authenticated (as normal!!).

I've compared the two sites, and everything seems to be the same. Both have the same web.config timeout settings:

<forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60000" slidingExpiration="true" />
<sessionState mode="InProc" stateConnectionString="...." sqlConnectionString="...." cookieless="false" timeout="20" />

But obviously SOMETHING is different between these two sites, or they wouldn't be acting differently! Does anybody have any suggestions on what I can check??

Thank you.

Correct Answer

Rita Mikusch answered on May 29, 2019 19:10

Thank you for the suggestion. It's not a browser specific issue ... I'm finding the problem in all browsers and all systems I'm logging in from.

And omg yay looks like I found the problem ... caching. Somebody else originally developed the site, and set caching on the root page's GENERAL TAB to 8 hours ... looks like caching was turned off on that "authorization required" page on the live site, but not on the test site.

While that caching was turned on, closing a private browser window or deleting browser cookies did not prevent the display of the "authorization required" content ... the login cookies were gone, but because of caching, that "authorization required" content still displayed without requiring a login.

Using the LOGOUT button in kentico SOMETIMES resulted in the "authorization required" content still being viewable. I did go back and check that "authorization required" content right away ... I'm guessing maybe LOGGING OUT in kentico took a while to affect the ability to view that "authorization required" content, whereas closing the private browser window or deleting the browser cookies had no effect at all, kentico just merrily kept serving that "authorization required" content.

(Okay now I'm dying to know why somebody set the root node's caching to 8 hours!!!! ... haha okay and why didn't I think of checking the caching values earlier?!)

0 votesVote for this answer Unmark Correct answer

Recent Answers

Keio Kwan answered on May 29, 2019 04:52

Assuming everything is fine in your test site...

do you know if your browser has auto login feature that you turned on for your test site domain? you need to remove it from the white list. or if you have other software to manage auto login for you.

Have you try to use another browser?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.