I have InProc SessionState enabled for my MVC appplication
<system.web>
...
<sessionState mode="InProc" cookieless="false" timeout="180" />
...
<system.web>
I have four independent VM's (Dev, Test, UAT & Prod) and unfortunately it does not work on one of them, e.g TempData is not passed between redirects.
I have checked...
IIS machine.config
IIS web.config
Applcation's web.config
Application pool settings
and they are all the same (alllowing for differences in connection strings etc)
Anything else I can check or any ideas as to what might be going on?
My dev and test environments are using the machine names whereas we have configured CNAMEs for the UAT environment as the end users are interacting with the server.
The problem was the hostname of the server... reporting_uat.xxx.com
As this contains an underscorre, IE will not store cookies, see Issue with Session and Cookie in Internet Explorer for websites containing underscore
Related
We have a private .net app that runs on IIS windows server 2016. We are using the sessionstate service
Forms authentication with cookies
When we recycle the apppool then any users are forced back to the login page. This is not the behaviour expected or wanted.
If we set up the same code on windows 10 we don't have that problem. We are struggling to replicate this in any other environment.
Is there some setting in IIS or else where that would affect this functionality ?
When I check the document, a possible is that identity of application pool will cause this issue. If identity of applocation pool is ApplicationPoolIdentity, nothing will happen. Only using custom account may happen. I think this is not accurate, but you can check the identity.
In IIS, you can change session state mode to keep user login even when application pool recycles.
Generally, IIS stores session state values and variables in memory on the local Web server. So you can use SQL Server Mode. SQL Server mode stores session state in a SQL Server database. Using this mode ensures that session state is preserved if the Web application is restarted, including application pool recycles, and also makes session state available to multiple Web servers in a Web farm.
<configuration>
<system.web>
<sessionState mode="SQLServer"
sqlConnectionString="Integrated Security=SSPI;data
source=SampleSqlServer;" />
</system.web>
</configuration>
Thanks for pointing us in the right direction by mentioning the user. The fix was to change the property "Load user profile" to True, the default value.
I setup a Sitecore infrastructure on azure (I created the same before and it worked) and when I connect to the web apps directly, they all work. I configured access to two of the apps via Application Gateway - while one works, the other one gives 502 on the health status.
I checked on the application and there it shows me that the error is "ERROR_INTERNET_CONNECTION_ABORTED".
When I completely deactivate Sitecore (rename default.aspx and web.config) and put an index.html page, the application gateway can access it.
As mentioned - I have a running deployment that I did with the same ARM template. I also deleted everything and redeployed - same issue.
As mentioned - direct access to the web app works perfectly.
I have NO network restrictions on the web app yet.
It might be the case for Sitecore initial startup to take ages (more than health probe from service gate).
Considering Service Gate does not receive response from WebApp, it assumes application to be unhealthy, and might cache the 502 code.
What does your web app diagnostics say?
I finally found the issue. It was not the startup time and not an issue with the Application Gateway:
<ipSecurity allowUnlisted="false" denyAction="AbortRequest">
<clear />
<add ipAddress="0.0.0.0" subnetMask="0.0.0.0" allowed="true" />
</ipSecurity>
this is in the web.config for newer Sitecore Versions. No idea why it worked for the other installation - but removing this solved the issue for me.
I currently have a web service which I would like to host publicly but my company policy is against exposing the web.config file outside of our company firewall. Is there a way where I can host my web service on a public server securely?
Thanks to how IIS works, your web.config file won't be accessible from outside your application. You won't be able to get to it by just browsing directly to it unless you manually allow that action such as enabling directory browsing etc.
The web.config file is more an IIS config than anything else, as it merely configured the IIS environment to run the application as you intend it to.
You have nothing to worry about
I have a web application that is hosted by azure as a web role. The application is installed on two sub domains, QA and Production, the QA environment has the X-Frame-Options set to deny, but the production environment does not.
Currently the same code is deployed to each environment, so it must be a configuration option. I can't find anywhere in the web app where the XFO headers are set. Where else might the configuration be set?
I know this is old but still no answer so...
You can set it in the web.config like this:
<customHeaders>
<clear/>
<add name="X-Frame-Options" value="ALLOW-FROM youruri" />
</customHeaders>
We're developing a new website running in azure. We are currently developing against the local azure dev environment. But now we need to publish and test the site in the real Azure world. But we would like to run in a "closed" environment, where only know users have access, as the site should not go live yet. Any suggestions to accomplish this?
/Rasmus
Windows Azure has something called 'staging mode', see this post: http://sevans.info/2010/10/10/windows-azure-staging-model/
It's very powerful, and exactly what you need as far as I can see.
You could remove the endpoints of your instance configuration, so there will be no forwarding through the load balancer. After that you could use the Remote Desktop to log into your azure instance and test your web application.
Above suggestions are great and I would also like to add two more in this list as well:
Using production deployment and having a dummy index/default page with directory browsing disabled (already set as default) So when someone come you your site there is nothing they will see. And as there is no directory browsing so they can not guess the page*.aspx to visit your site. This will keep your production site running and you can test it from outside.
Removing your instance form Load Balancer while keeping your instance healthy. This will require you to test the Azure Application by RDP to your instance and then launch internally. If you wish to do so here is the Powershell based trick.
You could restrict the IP addresses that are allowed to access your app if you have a static IP address. As per this link: https://azure.microsoft.com/en-us/blog/ip-and-domain-restrictions-for-windows-azure-web-sites/
Developers can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to their websites. With Windows Azure Web Sites developers can enable/disable the feature, as well as customize its behavior, using web.config files located in their website.
Here's the code:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="123.456.0.0" subnetMask="255.255.0.0"/>
</ipSecurity>
</security>
</system.webServer>