Abp.Authorization.AbpAuthorizationException: Current user did not login to the application!

[ontur00]

Error at application

After about 30 minutes of logging in, the application shows an error Current user did not login to the application!

Log

WARN 2021-06-14 12:29:57,233 [76 ] Mvc.Authorization.AbpAuthorizationFilter - Abp.Authorization.AbpAuthorizationException: Current user did not login to the application!
at Abp.Authorization.AuthorizationHelper.AuthorizeAsync(IEnumerable1 authorizeAttributes) at Abp.Authorization.AuthorizationHelper.CheckPermissionsAsync(MethodInfo methodInfo, Type type) at Abp.Authorization.AuthorizationHelper.AuthorizeAsync(MethodInfo methodInfo, Type type) at Abp.AspNetCore.Mvc.Authorization.AbpAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) Abp.Authorization.AbpAuthorizationException: Current user did not login to the application! at Abp.Authorization.AuthorizationHelper.AuthorizeAsync(IEnumerable1 authorizeAttributes)
at Abp.Authorization.AuthorizationHelper.CheckPermissionsAsync(MethodInfo methodInfo, Type type)
at Abp.Authorization.AuthorizationHelper.AuthorizeAsync(MethodInfo methodInfo, Type type)
at Abp.AspNetCore.Mvc.Authorization.AbpAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)

log.txt

[ismcagdas]

This might happen when your web server is recycled. If you are using IIS, you can configure it to always running mode.

[ontur00]

Hi @ismcagdas I changed Appplication Pools ->Advanced Settings -> start Mode (AlwaysRunning) and i have still the same
I want notice that i use Multi Web Page Application Sample(maybe it will help)

issue

[ismcagdas]

@ontur00 thanks, we will check this in details.

[ontur00]

ABP - Version 5.1.0.0

Hello, I tested the application despite the constant activity of the user, clicking and moving the mouse logs out after about 30-40 minutes.
I added a method that calls the method from controller every 30 seconds, but that didn't help either. do you propose any workaround.

Chats.cs
[HttpPost] public JsonResult KeepSessionAlive() { JsonResult json = new JsonResult("Success"); return json; }

Index.js

`var keepSessionAlive = false;
var keepSessionAliveUrl = null;

function SetupSessionUpdater(actionUrl) {
keepSessionAliveUrl = actionUrl;
var container = $('.card-body');
container.mousemove(function () { keepSessionAlive = true; });
container.keydown(function () { keepSessionAlive = true; });
CheckToKeepSessionAlive();
}

function CheckToKeepSessionAlive() {
setInterval(function () {
if (keepSessionAlive && keepSessionAliveUrl != null) {
$.ajax({
type: "POST",
url: keepSessionAliveUrl,
success: function () { keepSessionAlive = false; }
});
}
CheckToKeepSessionAlive(); }, 30000); //30 sec
console.log("CheckToKeepSessionAlive " + keepSessionAliveUrl);
}

function KeepSessionAlive2() {
if (keepSessionAlive && keepSessionAliveUrl != null) {
$.ajax({
type: "POST",
url: keepSessionAliveUrl,
success: function () { keepSessionAlive = false; }
});
}
CheckToKeepSessionAlive();
}
SetupSessionUpdater('/Chats/KeepSessionAlive');
`

[ismcagdas]

@ontur00 sorry for the late reply. Do you go to other pages during your test ? If not, the cookie's expire time will not change and user will be logged out. This is the expected case.

[ontur00]

@ismcagdas I'm not passing, I understand that this is how the framework works. Is there any workaround for this? He needs to stay on one page after the user logs in, and he will not go to other subpages. Or, is it possible to extend the cookie expiry time

[ismcagdas]

I think you can update the cookie's expire time by modifying this line https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Web.Resources/Abp/Framework/scripts/libs/abp.jquery.js#L39

[DWiszyns]

Currently @ontur00 is unavailable so I'll continue the issue. Can you give us example on how to modify this line to update cookie's expiry time? Also from what we see the expiry time is supposed to be as long as browser session, but after about 30 minutes we have the same issue as if we delete the cookie manually. From our POV it looks like a bug. Is there maybe a workaround for this?

[ismcagdas]

@DWiszyns sorry for the late reply, I will check it again. If the cookie expire time doesn't have a value, you don't have to change it.

[DWiszyns]

@ismcagdas were you able to check it again?

[ismcagdas]

Sorry, didn't have time yet but probably will check it this week. Sorry for the delay.

[DWiszyns]

@ismcagdas Were you able to check it last week?

[ontur00]

I did the tests, they go through the subpages every 1 minute and so the user logged off after 30 minutes.

[DWiszyns]

I don't know if it helps you, but once we the session is down, we can see Jan 1 1970 is the time of expiration in cookies. I attach screen.

[ontur00]

Hello, is there a workaround currently available in version 6.5?
Have you found the problem and are you going to add a patch to version 7.0?

[ontur00]

Is there any information on the session logout error.

[ontur00]

When are you planning to release version 7. Will there be a fix for the logout error in it? It is very necessary or some kind of workaround

[ismcagdas]

@ontur00 we couldn't reproduce this on our side. I have some questions for you.

1. Did you solve this problem ?
2. If not, do you host any other AspNet Boilerplate based app on the same IP address ?
3. Can you reproduce this problem on development time ? If so, could you download a new template from https://aspnetboilerplate.com/ and try to reproduce same problem on that template ?

Thanks,

[ontur00]

1. No we did not.
2. I tested the solution by running the project locally in visual studio and on IIS. The result was the same logging off the user after 30 minutes.
3. I was currently testing the solution by running asp net core ver 7.x and 5.x on visual studio. Did not log off the session. However, I will still check the solution on the IIS server.

[ismcagdas]

Thanks. I downloaded a new version 2 days ago, runned it using visual studio, waited 30 mins without any action and couldn't reproduce the problem. If you can reproduce it and share the steps, I will really appreciate it.

[ontur00]

I tested publish on IIS template 7.x version, there was no problem, even after 10 hours it did not log out. Do you have any advice on migrating the old project to the version 7.x template

[ismcagdas]

@ontur00 thanks for taking your time and trying this. We normally suggest an approach similar to https://docs.aspnetzero.com/en/common/latest/Version-Updating for templates. You can implement same approach for your project. You can only try to upgrade authentication related parts of the project.

[ontur00]

@ismcagdas Which module to copy to update regarding authencation?
It will be easier to change this.

[ismcagdas]

As far as I remember, you should update Web.Core and Web.Mvc but if you do that, it might create other problems. I think it is better to upgrade all projects if possible.

[Saxroll]

Hi,
We have managed to merge our project with blank template. At first we were testing it on our local web IIS server locally through the ip address. It all seems to be working fine :) We were happy about this it finally worked.
But then when we tried to login to the same web server through the public domain address we encountered exactly the same problem. After 30 minutes the Application.Identity Cookie gets invalidated and user is forced to login again. It is even more strange if in the same time you establish session to the same server but by local ip address it works just fine.
I have noticed a bit different set of cookies is created if you access by external adddres or local.

When you access by external address

When you access by local address

Then in the logs I have found below entries:

DEBUG 2022-02-01 13:43:45,008 [orker] AseeVT.Identity.SecurityStampValidator - Security stamp validation failed, rejecting cookie.
INFO 2022-02-01 13:43:45,008 [orker] tion.Cookies.CookieAuthenticationHandler - AuthenticationScheme: Identity.Application signed out.
INFO 2022-02-01 13:43:45,009 [orker] tion.Cookies.CookieAuthenticationHandler - AuthenticationScheme: Identity.External signed out.
INFO 2022-02-01 13:43:45,009 [orker] tion.Cookies.CookieAuthenticationHandler - AuthenticationScheme: Identity.TwoFactorUserId signed out.
INFO 2022-02-01 13:43:45,010 [orker] tion.Cookies.CookieAuthenticationHandler - Identity.Application was not authenticated. Failure message: No principal.

and this led me to the fact that we have a problem with security stamp validation on the identity cookie. So extending cookie lifetime will not help here since security stamp validation is a seperate process. I have not found yet why security stamp does not validate properly. Security stamp is not null, so it seems it is somehow mismatched.
For now I have extended security stamp validation time (12h) to workaround the issue, but maybe you will have an idea how to help find why security stamp does not match and fix it as it should be. If neccessary we are able to reproduce the issue.

[ismcagdas]

I couldn't come up with an solution idea since we can't reproduce the problem. Maybe you can write extra logs and try to figure out why security stamp is not valid.

[ismcagdas]

@Saxroll did you find a solution to this problem ?

[antheus-s]

@ismcagdas I am experiencing the same problem while using Microsoft Identity (not IdentityServer) with default authentication (application cookie).

When I use:

services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromSeconds(30));

I will get logged out after 30 seconds.

[antheus-s]

As stated by @Saxroll, this seems to be an issue with the security stamp validation. This is currently stopping us from going live, so I had to use the workaround that @Saxroll described by adding the following to the Startup class:

services.Configure<SecurityStampValidatorOptions>(options =>
{
    options.ValidationInterval = TimeSpan.FromDays(365); // Instead of the default 30 minute interval.
});

I also added the following event handler to overrule the validation process:

services.ConfigureApplicationCookie(opt =>
{
    opt.Events.OnValidatePrincipal = (context) =>
    {
        return Task.CompletedTask;
    };
});

The only downside is that this means that we are not using the security stamp functionality anymore, but I guess it did not work currently anyways.

@ismcagdas If you find a fix for the security stamp validation issues, please let me know.

[acjh]

@AntheusS Are you using 2FA?

[antheus-s]

@acjh Yes. 2FA is enabled. It occurs for both users that have 2FA enabled and users that have 2FA disabled.

[acjh]

This should be fixed in PR #6414.

[Saxroll]

@Saxroll did you find a solution to this problem ?

Hi. Unfortunately not yet. We stay on a workaround with disabled security stamp validataion and its cons. We will be investigating further and trying to find solution later.