Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Asp.net web site session gets lost after upgrading to Firefox 61 or above

  • 4 replies
  • 1 has this problem
  • 1 view
  • Last reply by Simon03

more options

We have an asp.net webform. Some of users always use Firefox and didn't have any issue until they upgraded to Firefox 61 or above. If Firefox 61+ is used, user's session gets killed/lost sometime. We cannot reproduce this issue in any versions prior to Firefox 61 or any other browsers.

Firefox 61 seems to be the first breaking version for us, so I have been looking at the release notes: https://www.mozilla.org/en-US/firefox/61.0/releasenotes/.

There was some improved security change around TLS so I tried to play around with the settings (security.tls.version.max and security.tls.version.fallback-limit) but it doesn't make any difference.

Any idea what could cause this session loss issue?

Thanks

We have an asp.net webform. Some of users always use Firefox and didn't have any issue until they upgraded to Firefox 61 or above. If Firefox 61+ is used, user's session gets killed/lost sometime. We cannot reproduce this issue in any versions prior to Firefox 61 or any other browsers. Firefox 61 seems to be the first breaking version for us, so I have been looking at the release notes: https://www.mozilla.org/en-US/firefox/61.0/releasenotes/. There was some improved security change around TLS so I tried to play around with the settings (security.tls.version.max and security.tls.version.fallback-limit) but it doesn't make any difference. Any idea what could cause this session loss issue? Thanks

All Replies (4)

more options

Do you have reliable steps to reproduce the problem?

Can you tell why the session is killed/lost? For example:

  • the session cookie stops getting sent back to the server at some point, so the user loses access to their session (but the session is not necessarily terminated on the server)
  • the server perceives that the session has become inactive and times it out even though the user is active
  • the server perceives that the user has terminated the session (for example, as if the user logged out)
  • the server terminates the session based on security criteria of IIS, ASP.Net, or your webapp (e.g., detected session hijacking)
more options

Hi Jefferson,

Thanks for your response. I don't have very reliable steps to reproduce the problem as it happens very randomly. It can happen just after a user logs in but it can also happen a few minutes after a user logs in.

This is what we do in my website. After a user logs in, we store some user related data in session. On each page load, we check these data. If the data is not in the session, the website will log out the user. From time to time, the user data (in the session) disappears so the user keeps being logged out.

I probably need to do more investigation on the issue but we haven't changed the code around this for long time. This issue started happening for users using Firefox 6.1 and above only.

Thanks

more options

Do affected users have any content blocking extensions or extensions that deal with cookies installed?

more options

cor-el said

Do affected users have any content blocking extensions or extensions that deal with cookies installed?

No, I don't think so. Also, I can reproduce the issue in safe mode. I believe safe mode disables all extensions.