Why would an ASP.NET Sitecore site drop session after like 7 or 8 minutes?

Question

I have a Sitecore 7.5 site built with two front end CD servers and a load balancer with sticky sessions. The load balancer has a default timeout of 5 minutes. The Sitecore site has the ASP.NET default session timeout value of 20 minutes. I have been getting reports of the site randomly logging people out. I just ran the following experiment:

• Started a new session in a new browser
• Started a timer on my phone
• Almost continually clicked on different pages in the site. About the longest time that I was idle was maybe 30 seconds.
• After about 10 - 15 minutes I suddenly noticed that I was no longer logged in to the application

I can not figure out why this is happening. This is the code I am using to do login.

        protected void ButtonLogin_Click(object source, EventArgs e)
    {
        bool loginSuccess = Sitecore.Security.Authentication.AuthenticationManager.Login("extranet\\" + TextLoginUsername.Text, TextLoginPassword.Text, CheckKeepLoggedIn.Checked) || (Sitecore.Security.Authentication.AuthenticationManager.Login("sitecore\\" + TextLoginUsername.Text, TextLoginPassword.Text, CheckKeepLoggedIn.Checked));
        if (loginSuccess)
        {
            LabelLoginError.Visible = false;
            Sitecore.Analytics.Tracker.Current.Session.Identify(Sitecore.Context.GetUserName());
            Sitecore.Analytics.Tracker.Contact.Tags["Full Name"] = Sitecore.Context.GetUserName();
            Response.Redirect(ButtonLogin.PostBackUrl);
            return;
        }

        //Otherwise log as error.
        LabelLoginError.Text = "Username/password combination was incorrect.";
        LabelLoginError.Visible = true;
    }

Any ideas?

Answer 1

Did you check assignment to the CD server? You could check that in your browser console. Maybe your cookie expired and your Load Balancer just switched server which had been using by your user?

And one more thing - do you use SSL to secure connection? In the past one of my colleagues/administrators had some problems with properly configuration LB with SSL.

Answer 2

Check the logs to see if your app domain, or app pool is restarting due to file activity, thus loosing the inProc session state. Look for 'shutdown' or 'Sitecore started' in the logs.

Earlier answer having misread the question

You're logging in to machine A, but after 5 minutes your sticky session at the load balancer expires, your next request will start a new sticky session and has a 50% chance of being routed to server A again. If it is assigned to server A, your experience is unaffected, as you are still logged in to server A. If instead the new sticky session is assigned to server B, well, you're are not logged on server B so you'll think you were 'logged out' but in reality you were never logged in on server B.

To fix this, set your load balancer session timeout to be the same as your server session timeout - i.e. 20 minutes.

The sticky session exists to ensure that your requests are sent to the same server. By setting the load balancer session length shorter that the server session timeout, you've created a 15 minute shortfall were you can be directed to the wrong server while your active session still exists on the original server.

Setting a html comment in your web page with the server name or ip address would confirm this behaviour.

Answer 3

Check that your data folder is outside your webroot. If your data is inside your webroot it could be resetting the application pool due to the number of files that get changed in the data folder, log files, viewstate cache, lucene indexes etc...

See this post for more details: http://www.sitecorenutsbolts.net/2015/06/01/Application-Pool-Restarts-when-Data-folder-is-in-Webroot/ - make sure your data folder is not in your