.Net Core 2.x User Session signs out on Shared Hosting unexpectedly

.net core sdk
net core hosting bundle
net core 3
net core 3.0 backwards compatibility
asp.net core
dotnet
the microsoft.aspnetcore.all package is not supported when targeting .net core 3.0 or higher
aspnetcorehostingmodel

I am playing around with aspnetboilerplate.com's template for dotnet core. What I am trying to do is to deploy the template on a shared hosting (windows) server running Plesk (note, I have no control over the server at all).

The template works perfect locally, can log in, add users, roles, etc. Deploying it the shared hosting server gave some issues, but that was resolved relative quickly (configuring for dotnet core and had to drop to dotnet core 2.1 as 2.2 is not yet supported on the server).

The problem now is after logging in, within a minute I re-directed to the login page. I have had a similar problem with ASP.NET MVC5, but providing a Machine Key in the web.config and making use of a database for session data fixed that problem. So I am reasoning it is the same problem with the dotnet application.

But seeing as dotnet core does not use machine keys and DataProtectionApis a different approach is needed.

So I have tried adding services.AddDataProtection(); to StartUp.Configure()

I have read Distributed caching in ASP.NET Core and just about all the links coming off there as well as tried multiple code examples, but either I do not know what I am doing (high probability) or I am not doing something right.

So, how do I prevent the user being signed out unexpectedly using dotnet core 2.1 on a shared hosting server?

EDIT - 2019-01-25

Some new information: Tried setting timeouts as suggested, but this either does nothing or is not possible. For the dotnet application to run on Plesk, I had to disable ASP.NET support so that .NET core gets No Managed Code Application Pool. Trying to access ASP.Net settings on Plesk the (where you'd have access to Application Pool setting, etc) gives an error saying 'ASP.NET support is switched off for this website'.

One thing that does not happen is the App_Data/Logs folder never gets created when publishing. I had to manually create and set permissions so that log4net can create a log file. The log file provided me with additional information:

ERROR 2019-01-25 09:33:03,005 [6    ] .Antiforgery.Internal.DefaultAntiforgery - An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} was not found in the key ring.

Searching for this error only once again lead me to documentation about adding services.AddDataProtection() to the ConfigureServices method, but this drones on about Azure Key Vaults (or other external providers) or writing info to a shared UNC so that other servers can access cached key info (and this is probably what I need). But seeing as all of these options are not available to me, I found an extension method which allows the key to be stored on an MSSQL server. Busy setting this up now to test.

If anybody wants to give their opinion, please be my guest.

UPDATE 2 - 2019-01-25 - SUCCESS (for now)

It would appear that making use of DataProtectionAPI is the way to go. Logs are not reporting any AntiforgeryValidationException, yet. I am going to let it run for a while and if all is good, I'll post the solution and how it has been implemented.

Based off the information you provided above, I believe your session is timing out.

When the session times out the user will be redirected to the login page to reauthenticate. I am not overly familiar with plesk but from very quick googling it seems that you should be able to increase the session timeout.

Of course, if you are setting the sessiontimeout yourself in configurservices you could just adjust it there as well I would assume (again unfamiliar with the plesk setup fully).

If you do that, the problem should resolve itself. Perhaps the session timeout is set to a short time period for testing?

.net session state

services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromSeconds(10);
            options.Cookie.HttpOnly = true;
        });

ASP.NET Core In Process Hosting on IIS with ASP.NET Core, In this post I describe how to use in process hosting and how it works. NET Core required you to host on IIS using an Out of Process model that Figure 2 - With In Process hosting your application runs nside of the IIS Kestrel currently can't do port sharing in the same way that IIS and NET Core 3.x. So, how do I prevent the user being signed out unexpectedly using dotnet core 2.1 on a shared hosting server? EDIT - 2019-01-25 Some new information: Tried setting timeouts as suggested, but this either does nothing or is not possible.

The problem, it turns out was not the session expiring, but rather, when another server takes over the load of the my site, it has no session context. Data Protection services allows for the creation of a database to store session info in and it shared across servers in the farm. Similar to the session state attribute from web.config in MVC projects:

<sessionState mode="SQLServer" sqlConnectionString="Data Source=000.000.000.000;Initial Catalog=session_db;User Id=user;Password=password;" allowCustomSqlDatabase="true" timeout="480" />

This is how I solved the problem:

Within ConfigureServices I added:

services.AddDataProtection()
            .SetApplicationName("MyApplicationName")
            .SetDefaultKeyLifetime(TimeSpan.FromDays(14)) 
            .PersistKeysToSqlServer(_config["DataProtection:SqlServerConnectionString"]);

I also had to create a separate database which is responsible for storing the session information. The DataProtextion:SqlServerConnectionString is an entry in the appsettings.json file:

"DataProtection":
    {
        "SqlServerConnectionString": "Server=server; Database=database; User=user; Password=password;"
    }

There are ways to probably solve this problem (eg with Redis), but seeing as I have no control over the server my site is hosted on, Data Protection services works just fine.

ASP.NET Core breaking changes, App; Shared framework: Microsoft. The inconsistency makes logs difficult to query via structured logging HttpClient logging and HTTP server/hosting logging use the same NET Core 5.0 upgrades the package from 1.x to the latest 2.x Hosting: HTTPS redirection enabled for IIS out-of-process apps. .Net Core 2.x User Session signs out on Shared Hosting unexpectedly. 0. AspNetBoilerplate Not Loading Settings From The Database. 0. Cannot implicitly convert type

As PersistKeysToSqlServer is not supported in dot net core 3.1, we can use .PersistKeysToDbContext<AppDBContext>() or PersistKeysToFileSystem as it is shown here.

Breaking changes, version 2.2 to 3.0, NET Core, or EF Core, the breaking changes listed in this article may affect your app. Session state: Obsolete APIs removed; Shared framework: Assembly removal Sign-in APIs to authenticate Google account users in web apps. Google version 2.x, replace your existing call to AddGoogle in Startup. ASP.NET Core 2.2 has been out for a while now and with it come some significant improvements to the hosting model if you plan on hosting in IIS. In previous versions you were required to host ASP.NET Core applications by proxying requests from IIS into the ASP.NET Core Kestrel server with IIS effectively as a Reverse Proxy.

FrameworkReference 'Microsoft.NETCore.App' was not recognized , I am using Debian 10.1, and today I upgraded net core, version 3.0 to 3.0.1 3.0.​100 is out of date, if you want to use the tar.gz you should use The "​ResolveTargetingPackAssets" task failed unexpectedly. /usr/share/dotnet/sdk/​3.0.100/ Host (useful for support): Version: 3.0.1 NET 2.x supported both . Session is a feature in ASP.NET Core that enables us to save/store the user data. Session stores the data in the dictionary on the Server and SessionId is used as a key. The SessionId is stored on the client at cookie. The SessionId cookie is sent with every request. The SessionId cookie is per browser and it cannot be shared between the browsers.

Asp.net Core not Collecting Garbage · Issue #3409 · dotnet , @sebastienros I can't share the app, but I can share the session from PerfView session + memory dump. NET Core 2 Web API, I've created a load test of 200 users all The behavior you are describing is not unexpected, the GC will @​sinapis are you trying to find out the issue you described above or  Today I came across this same issue while trying to recompile a .NET Core 2.1 solution I moved from an old hard disk to a new SSD for my development machine. The old VS 2019 installation in the hard disk had a folder in this path: C:\Microsoft\Xamarin\NuGet\ , which didn't exist on my installation with VS 2019.

Unexpected Logout in My Web Application Based on ASP.NET, C# , Everything is working fine, but in hosting server user gets logged out very frequently without which is based on asp.net, C# and MS SQL server-2005, is facing unexpected logouts. Have you checked the session logout time in your server? 2 <processModel 3 pingFrequency="00:00:30" 4 pingTimeout="00:00:​05" 5 . Session state is an ASP.NET Core scenario for storage of user data while the user browses a web app. Session state uses a store maintained by the app to persist data across requests from a client. The session data is backed by a cache and considered ephemeral data—the site should continue to function without the session data.

Comments
  • Thanks Matt. Will give it a try and let you know