Frequently Asked Questions
Frequently Asked Questions: M-Files
Session Expired error on Google Chrome
Posted by Ondas Santos (M-Files) on 07 February 2019 11:18 PM


This article talks about a problem in which customers tries to open M-Files Web in Google Chrome, login, select their vault and get redirected back to login page once again, not being able to login until cache is cleared.

Impacted Products and Versions

M-Files version 10 and later.


Try to login to M-Files Web using Google Chrome and noticing that after the login and selecting the vault, you get the login page once again.

Sample Case

Here's a capture (F12) done in Chrome while this problem was being reproduced:

1. Request URL:
2. Request Method:
3. Status Code:
4. Remote Address:
5. Referrer Policy:
2. Response Headers
1. cache-control:
2. content-length:
3. content-type:
application/json; charset=utf-8
4. date:
Fri, 04 Jan 2019 21:08:34 GMT
5. set-cookie:
ASP.NET_SessionId=[YourSessionID_Details]; path=/; secure; HttpOnly
6. status:
7. strict-transport-security:
max-age=31536000; includeSubDomains;
8. x-content-type-options:
9. x-frame-options:
3. Request Headers
1. :authority:
2. :method:
3. :path:
4. :scheme:
5. accept:
application/json, text/javascript, */*; q=0.01
6. accept-encoding:
gzip, deflate, br
7. accept-language:
8. content-length:
9. content-type:
application/json; charset=UTF-8
10. cookie:
ASP.NET_SessionID=; [YourSessionID_Details];
ASP.NET_SessionId=[ YourSessionID_Details]; [YourSessionID_Details]
11. mfwa-csrftoken:
12. origin:
13. referer:
14. user-agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
15. x-active-vault:
16. x-extensions:
17. x-rememberuser:
18. x-requested-with:
19. x-timezone:
4. Query String Parametersview sourceview URL encoded
1. _method:
5. Request Payloadview source
1. {GUID: "{C332761F-1C18-438B-8F16-5616DC829180}"}
1. GUID: "{C332761F-1C18-438B-8F16-5616DC829180}"

Cause and Reason

There is a cookie ASP.NET_SessionID present in the cookies that doesn’t allow you to login.

The ASP.NET_SessionId (lowercase "d") is used to set the timeout on the server and usually this is set to 20 minutes. However, some users had both ASP.NET_SessionId and ASP.NET_SessionID cookies saved to their cache and that prevented logging in. When the timeout occurs, MFWA generates the ASP.NET_SessionID cookie. If you try to login after this, it will be unsuccessful until the cookie is deleted. After a while, this cookie comes back and you are again unable to login.

Solution / Workaround

Clearing the cookies from Chrome can help but problem eventually comes back.

A workaround would be to create an Outbound rule in IIS through the "URL Rewrite" feature.

Here are the steps:

  • Open IIS Manager.
  • Select "Default Web Site"
  • In the Feature View select "URL Rewrite"
  • In the Actions pane on the right hand side click on "Add Rules...". In the "Add Rules" dialog select the "Blank Rule" under the "Outbound rules" category and click OK

Enter the values from attached screenshot.

Addition Info

This has been logged as defect 149331 which is fixed in version 19.2.


 iis outbound rule.jpg (62.30 KB)
(0 vote(s))
This article was helpful
This article was not helpful

Help Desk Software by Kayako case