0

I am facing a weird issue with FormsAuthentication's .ASPXAUTH cookie. I migrated a .NET 4.6.2 MVC5 project to .NET 4.8 which is making use of FormsAuthentication and everything seem to work as expected beside authentication cookie issued by FormsAuthentication.

I am able to login into application successfully, if I use the developer tools and explore cookies in browser. I can see that browser has appropriate .ASPXAUTH cookie set along with max-age=session and path=/. This is all working as expected so far everything good. If I start browsing different pages in the application, all of sudden I am kicked out to the Login page.

An inspection of traffic between IIS and Browser through Fiddler suggests that application returns the expired authentication cookie randomly which overwrites the valid cookie. This causes a forced logout and session is dropped.

This is what I have in my web.config.

<authentication mode="Forms">
      <forms slidingExpiration="true" name=".ASPXAUTH" loginUrl="~/Login" defaultUrl="~/default" timeout="15"/>
</authentication>
<sessionState mode="InProc" cookieName=".SESSIONID" timeout="15"/>
<anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="1440"/>
  • Website is hosted in localhost running Windows 10 Professional, IIS 10
  • I looked at the application pool event log and it was only shutdown due to inactivity.

A worker process with process id of '10832' serving application pool 'mywebsite.com' was shutdown due to inactivity. Application Pool timeout configuration was set to 20 minutes. A new worker process will be started when needed.

  • We are not reissuing the authentication cookie manually anywhere beside the login form.

Here are the steps explaining what is happening

  1. I go to Login page and enter username/password.

  2. The codes issues the Authentication Cookie using following code

    FormsAuthentication.SetAuthCookie(model.UserName, false);

  3. User is sent to protected pages and I am able to confirm in Browser Cookies that a valid .ASPXAUTH cookie is set for the user.

  4. I navigate few protected pages, everything seem to work as expected.

  5. All of sudden when I try to open a page, browser is severed with an expired Authentication cookie.

    Set-Cookie: .ASPXAUTH=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly; samesite=Lax;

  6. This causes the Browser to remove .ASPXAUTH cookie resulting in lost session.

I have spent several hours trying to find out what could be causing this behavior but no luck. I have seen other people experiencing similar problem but no solution.

Update: The issue stopped happening after two days. After trying debugs in Fiddler, inspection of IIS logs and searching around internet for similar issues. I think it was linked to use of secure cookies. I enabled secure cookies on website for some tests and then reverted the updates shortly. @Scott Hanselman have an article that points in this direction, though in my case I was not setting the cookie manually.

Weird Timeouts with custom ASP.NET FormsAuthentication

Leadfoot
  • 610
  • 7
  • 21

2 Answers2

0
      <authentication mode="Forms" >
      <forms name="NAME" loginUrl="YOUR_LOGIN_URL" timeout="3000"></forms>
  </authentication>

you can add this piece of code inside your Web.config

--notice timeout attribute is from minute

Amin
  • 37
  • 6
  • Timeout is set to 15 minutes. Its not the timeout, somehow ASP.NET serves an expired cookie within few page visits which is far from 15 minutes timeout. – Leadfoot Jan 28 '21 at 16:15
0

There are two factors that can cause this problem, one is IIS settings and the other is code configuration. These are not included in the information you provided, so I list them all for your reference.

Using the in-process session mode will store data in the work process, which is the current memory object. If the application uses too much memory on the server, the server will restart (or the application pool may be recycled) and the cookie will be empty.This requires you to monitor the memory changes of the server or work process(aspnet_wp.exe).

If you visit a certain page and the cookie is empty, please check whether Response.Cookies [string] is used in the code. ASP.NET will automatically generate a new cookie to overwrite the old cookie and cause information loss. Please use Request.Cookies-Collection to read cookies.

The FormAuthentication cookie is encrypted and decrypted using the MachineKey on IIS. By default, the application is set to automatically generate the machine key, and the application recovery will generate a new key. If your application uses a web farm or web garden, and the application is in a load-balanced state, each server cannot decrypt the encrypted cookies in other servers, which can also cause this problem. The solution is to customize the MachineKey part in web.config, even if the application pool is recycled, the key will not change.

<system.web>
  <machineKey validationKey="EBC1EF196CAC273717C9C96D69D8EF314793FCE2DBB98B261D0C7677C8C7760A3483DDE3B631BC42F7B98B4B13EFB17B97A122056862A92B4E7581F15F4B3551" 
    decryptionKey="5740E6E6A968C76C82BB465275E8C6C9CE08E698CE59A60B0BEB2AA2DA1B9AB3" 
    validation="SHA1" decryption="AES" /> 
</system.web>
Bruce Zhang
  • 1,260
  • 1
  • 1
  • 5
  • Hi, I confirmed in system logs, application pool was always shutdown properly due to inactivity which is set to 20 minutes. We only set authentication cookie on login and its never reissued through our code. – Leadfoot Jan 29 '21 at 10:19
  • Do you use manually generated cookies to store information, and set the validity period of the cookie in the code? The validity period of the cookie in the code will override the configuration in web.config. – Bruce Zhang Feb 02 '21 at 09:32
  • Cookie is issued through use of FormsAuthentication.SetAuthCookie as explained in description. Validity period is set by FormsAuthentication to Session which is correct. – Leadfoot Feb 08 '21 at 12:07