I am hosting Umbraco on Azure Web Apps. I have multiple app slots set up, for this example I have a "staging" and a "dev" slot. These two have their own individual databases. If I'm logged into one of them, and then log into the other, the first one gets logged out. It seems like there's some session collision somehow. Is this expected? Can I perhaps adjust how/where the session is handled?

Yes that is what I would expect, sessions by default are stored by the client unless set up otherwise

But the server will have to store the session somehow?

Do the slots have the same URL somehow? That's the only time I've seen this behavior, since the session cookies will collide if only the port number differs. This is not expected. We use slots like https://site-test-slot.azureWebSites.net and https://site-live-slot.azureWebSites.net and there is zero overlap between these. They are completely isolated web applications. No problem being signed into both concurrently.

If they both share the same root domain then the session cookie will get hijacked when logging in to the second site

@kdx-perbol We have basically the same setup, just with different names. They are separate and separated to staging and dev currently. The backoffice view is calling

/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds

and it returns

)]}',
0.0

When logging into this odd scenario, we've timed it to exactly 40 seconds until one is logged out again. Strangely enough we can get it working by setting

Security__AllowConcurrentLogins

to

true

. When testing this we are using different slot domain names, different databases, different browsers (so no cookie overlap/collision). And yet it happens. We went down a rabbit hole we couldn't get out of trying to set up som DistributedSqlCache in case the session data is lost somehow on Azure.

If you just browse to

GetRemainingTimeoutSeconds

directly after signing in, what does it say?

I think it's some old way of doing JSONP ajax requests, it's basically expected I think.

Is this a loadbalanced setup? Allow Concurrent Logins allows the same user to be signed into multiple instances concurrently. The default was changed from true to false in 13.

I'm not aiming for a load balanced setup, but it's an Azure "web app", which runs as apps/slots under an app service plan, and I assume it's technically possible for it to start scaling when needed? But this is not public (yet), so no pressure on the server.

Not thinking about pressure but about unintentionally having "multiple sessions". Couldn't be something with the user, that Umbraco doesn't find the user and falsely assumes there are concurrent sessions?

Right after login, it results with:

)]}',
28661.934916

Simplest possible reason would be that Umbraco is sharing its "session database" between dev and staging. No idea what that database is. But if there's any shared resource between dev and staging, that could be it.

I mean it's the same APP, but different slots I'm new to the concept of both web apps and slots, and I fear they might be sharing some space somehow, but I'm not sure

Slots are completely separate web apps in the same plan. There isn't any overlap unless configured. Think of it as 2 different IIS sites with completely different permissions and folders.

I think I'm also missing something in my ability to recreate this. It kept happening all the time up until now (just changed to laptop computer because close to bedtime). I even got it to happen on localhost, local development a couple of times. Been working 12 hours today so might very well be missing something basic. Thanks for listening out