Double Logon for some users of an ASP.Net WebForms app

Question

I have an asp .net webforms app that uses forms authentication. For a small number of users we have a problem where they log in, they navigate to a couple of pages and then they are asked to log in again. Once logged in for a second time they seem to be able to stay logged in as expected. They shouldn't be asked to login the second time.

This is a single server, no web farms, nothing tricky.

This only happens to a few users, but it does seem to be all users from the same building. I am unable to replicate this and at this point might even start to deny that t was happening if one of our trainers hadn't watched it happen to a couple of customers.

Has anyone else seen anything like this?

I am also seeing a lot of "Membership credential verification failed." errors in the event log. This may be related, but all the googling I've done seems to point to web farms and the like, not a single server.

UPDATE

1. There is no proxy server, the IIS server and the browser (IE8) are both on the same machine.
2. The AV software installed is Symantec Endpoint, on one machine, on the other the user didn't have any AV at all (AV Fail!).
3. The browser is IE 8 with no frills, not a single addin that didn't come with the default installation.
4. Both session and user login time-outs are set to 30 mins and the problem happens within 1 min of the user logging on.
5. Logging shows the user to only have one IP address.
6. I have tried the sessionMode in all it's variations, this doesn't seem to make any difference.

Answer 1

Something has to be causing ASP.NET to think these users have new sessions or their authentication cookie is getting invalidated. Here a a few things I can think to check:

1. Are the users accessing the site through a proxy server? One of our customers has a proxy that will sometimes close all open connections causing ASP.NET to see the session as new.
2. Could an overly agressive anti-virus, anti-spyware product be "eating" the session authentication cookie?
3. Do they have a cookie manager browser add-in that is causing the authentication cookie to disappear or change?
4. Sounds basic but I've seen this happen because of site timeouts being set too short. If the user sits on the page for longer than the timeout, they will be forced to logon again. And this could be specific to a page when that page presents a large amount of data that takes a while for them to go through.

One other thing I just thought of, have you allowed multiple worker processes for the ASP.NET process (aka web gardens)? If so, the same constraints as with a web farm would apply for authentication.