Unexpected unauthorized exception

Hi guys,

I’m facing a strange problem. I’m using SS authentication without changing the default sessionexpiry timeout and suddenly I got 401 unauthorized exception. I’m waiting from my customer all my log files in order to understand when the session was started, but I suppose more than 15 days ago.

Tips?

Best regards
Enrico

I got the files. As expected, session was started more or less 15days ago and suddenly, without any kind of warning, I always received unauthorized exceptions.

this is my apphost implementation

        Plugins.Add(new AuthFeature(() => new CustomAuthUserSession(),
            new IAuthProvider[]
            {
                new PinAuthProvider(),
                new UserNameAuthProvider()
            }
        ));

where both PinAuthProvider and UserNameAuthProvider derive from CredentialsAuthProvider.

Am I right if I think that leaving all parameters to default values means an “infinite” session? Is it better to create a sliding session?

Best regard
Enrico

No it’s not infinite. You can force the same expiry for all SaveSessions by overriding your AppHost’s OnSaveSession(), e.g:

public override void OnSaveSession(IRequest httpReq, IAuthSession session, TimeSpan? expiresIn = null)
{
    return base.OnSaveSession(httpReq, session, TimeSpan.FromDays(7 * 2));
}

Thanks mythz.
Just for the future: how long will be the session leaving all parameters to default?

Overriding the OnSaveSession method in my apphost has the same effect of using a GlobalRepostFilter like this? (source: https://docs.servicestack.net/sessions#sliding-sessions)

GlobalResponseFilters.Add((req, res, dto) =>
{
    var session = req.GetSession();
    if (session != null)
        req.SaveSession(session, TimeSpan.FromMinutes(10));
});

Is it better to apply a specific sessiontimeout than leave it null?

Thanks
Enrico

Overriding OnSaveSession is the best way to control how long sessions are saved for, if SaveSession() is called elsewhere it will override any previous save sessions.

Here are the defaults for ss-id and ss-pid cookies: