javascript - slidingExpiration doesn't seem with work with ASP.NET MVC APIs when working with SPAs -

javascript - slidingExpiration doesn't seem with work with ASP.NET MVC APIs when working with SPAs -

my users, when on spa page, getting logged out after couple of hours. though, if utilize older postback forms, never time out. have context, have included plenty code provide context description of issue on bottom.

web.config authentication

<authentication mode="forms"> <forms loginurl="~/account/login" timeout="480" slidingexpiration="true" defaulturl="~" ticketcompatibilitymode="framework40"/> </authentication>

my api controller

namespace my.controllers { public class apimotioncontroller : apicontroller { [authorize(roles = "mover"] public iqueryable<motions> get()

javascript code

(function () { 'use strict'; angular.module('app') .controller('motionmanager', ['$scope', '$http', buildmotionmanager]); function buildmotionmanager($scope, $http) { /*static members*/ $scope._whoami = 'motionmanager'; //used troubleshooting controller /*initialization code*/ getmotions($scope, $http)(); /*scope methods*/ $scope.refreshmotionslist = getmotions($scope, $http); $scope.addmotion = addmotion($scope, $http); $scope.playmotion = playmotion($scope, $http); } function getmotions($scope, $http){ homecoming function(){ $http.get('/api/getmotions') .succeed(function(data){ $scope.motionlist = data; }) .error(function(data){ console.log('fail', data); }); }; } function addmotion($scope, $http){ //stub. code not shown here. }; function playmotion($scope, $http){ //stub. code not shown here. }; })();

there typos in above code, since retyped original while sanitizing.

the code work expected, problem after hours of working, web api calls failing 401 error. is, acting user de-authenticated.

as above, cannot duplicate issue when using web forms, or mvc forms, , re-posting whole pages. when using spa style coding. haven't tried other spa frameworks, since have 6 months of angular directed code in project, switching isn't option.

i have considered putting iframe, timer fire off in background against form object, trick browser generating proper form postback. want avoid doing that, because seems hacky.

the other key issue have found seeing bunch of schannel errors beingness logged application event log on iis server. 10,10 isn't documented. 10 series documented outside of 10,10. none of suggestions seem work, or relevant.

server iis 7.5 , have tried on iis 8.

application log errors:

a fatal alert generated , sent remote endpoint. may result in termination of connection. tls protocol defined fatal error code 10. windows schannel error state 10. error state: 10, alert description: 10 a fatal alert generated , sent remote endpoint. may result in termination of connection. tls protocol defined fatal error code 40. windows schannel error state 1205. an tls 1.2 connection request received remote client application, none of cipher suites supported client application supported server. ssl connection request has failed.

discovery

error code 40 means there handshake issue. since state management custom platform, decided alter inproc. far, have seen error log cut down in new error frequency, disappear. however, still testing 401 issue.

post discovery follow up

had certs re-issued, , schannel errors cleared, problem remained.

i had started exploring header info fine tooth comb, if means had add together custom header info accompany server calls.

i have included in $http calls withcredentials: true, has brought failure rate downwards around 15%. means failures downwards 1 time or twice day.

i started watching 'auth' cookie on client, , confusing happens occasionally. cookie alter without prompt, has changed back. session bouncing current, new one, current. have killed cleanup process on session table on server, , see getting there.

i had been checking scheme logs exceptions, or sql timeouts, , nothing.

started convert controllers mvc controllers, have nail conversion problems after conversion problems, including utilize of json serializer. still don't understand decision stick ms serializer when json.net 1 work much better.

current status

the lastly alter made add together filters.add(new authorizeattribute()); filterconfig.registerglobalfilters function.

everything still failing. after investigating iis logs still seeing getting de-authenticated.

ff on windows - fail chrome on windows - fail chrome on droid - fail safari on ipad - fail ie on windows - fail

12/10 discovery

i have found real problem. authentication in mvc controllers not compatible web api controllers. when authenticate mvc controller, web api controllers ignore it, , time out on authentication.

latest discovery

apparently when asp.net worker process shut down, , restarted, false flag database schema didn't exists. removed check, , reads , writes started working fine. interesting api controller forge new cookie when mvc controller fail authentication. creating new provider instance. however, couldn't find 2nd instance, have assume existing provider beingness duplicated.

fix beingness tested

now have removed db test, testing issue in long run tests. each long run longer worker process stays alive, shorter session timeout.

cornerstone of finding bug

apparently iis express hiding bug in seems deed without external worker process. moved test environment local iis server.

it looks there several issues causing problem, each 1 broken downwards here:

iis express wasn't closing sessions same way total iis would. so moved application local iis, , added logging everything. asp.net worker process launch new provider instance every time api controllers called. this cause new schema check per call. mvc controllers cause check 1 time per initial launch. since provider marries application schema, disabled schema check. angular must told marshal cookies. so added: cfg: { withcredentials: true, responsetype: "json" } the response type cover occasional issue see 'text/text'. see 'application/json'. seems browser issue, ie. i had add together config.maphttpattributeroutes(); register method of webapiconfig class.

using of this, able find core of problem every api phone call causing security provider re-test schema, mvc controllers set suppress test after first load. test fails, because had expand couple of tables, didn't need models changed.

resolution: removed test provider. since provider tied rest of application, didn't seem logical maintain treating typical asp.net membership provider. , top feature didn't need.

second benefit, gained little bit of performance.

javascript c# asp.net angularjs iis