I am working with an asp.net/vb.net application whose users have oracle accounts to connect to the application.
The high level problem: when a user changes their password, often their account will be locked soon after.
After much digging, it seems the worker process (w3wp.exe on the server, aspnet_wp.exe when running locally) is continuing to hit the database with the old connection using the old password, and, as is supposed to happen, after three invalid login attempts, the account is locked.
I've watched the dba_audit_trail table to see when database login's are happening. After the password change, even when the application is not being hit, there will be four new rows added to the dba_audit_trail table at regular intervals (it's been approximately every minute, every two minutes, or every four minutes). The automatic entries stop after about 30 minutes, or after the appropriate worker process is killed.
This was happening when running locally but I can no longer duplicate it locally, even though the code is the same on my machine as it is on the server. It is still happening on the development server.
This was only discovered after we started clearing the connection pool after a password change. This was done because the client noticed that an old password could be reused immediately after changing the password. Clearing the connection pool solved that.
We have tried
- relinking, repairing and restarting IIS
- adding <sessionState mode="InProc" ... to the web.config file
All with no success.
Does anyone have any ideas on why this is happening, or where I could look next?