ASP.NET MVC - forms authentication and www subdomain

Question

A while ago I posted a question about forms auth timing out randomly. I thought that question was solved, but apparently it's not.

So: I have session, membershipprovider, and forms auth timeouts set to 15 minutes. When I view my site, i am getting logged out randomly, but as in my question, I see that I am getting logged out mainly when links to my site change - from www.mysite.com to mysite.com and vice versa. Does that matter? If so, is there anything I can do, so that mvc will recognize www. and no-www. versions as the same?

You should not change the url to your site, that's confusing and causes problems. There is no reason to do this. — Erik Funkenbusch, Mar 17 '13 at 19:34
You should ensure that the canonical name is set for your site. Either use www or don't, but don't do both — levelnis, Mar 17 '13 at 23:45

score 1 · Answer 1 · edited May 23 '17 at 12:11

1

Specifically set the cookie domain in your auth cookie via the web.config.

Secondly probably unrelated but just for safe measure, are you handling the syncing of timeouts between your session and forms auth? Even if they are both set to 15 minutes they can timeout at very different times

See my post at: Forms Authentication Timeout Logging

edited May 23 '17 at 12:11

Community

1
1

answered Mar 17 '13 at 23:11

Adam Tuliper

29,982
4
53
71

score 0 · Answer 2 · answered Mar 18 '13 at 13:09

There is a big difference between www.mysite.com and mysite.com. They will run in 2 different sessions and cookies. Even search engines will recognise them as 2 different websites.

You should try to always use links to 1 of those, and do a 301 redirect as soon as the request begins. You can put some code in Global.asax to validate the host header at BeginRequest.

The best way to solve this issue is by using the Rewrite module in IIS7 that does this automatically for you.

ASP.NET MVC - forms authentication and www subdomain

2 Answers2