8

I am having an issue with a "remember me" style checkbox on an MVC6 project. I had a related question here that solved the issue for debugging on my localhost, however after deploying the project to our dev environment, it still forces me to re-login after 20 minutes.

The 20 minute time span made me think something was mis-configured with IIS. I set my app pool (configured as "no managed code") idle timer to go idle after 1 minute. Sure enough, after 1 minute, I have to re-login again.

This leads me to believe that my persisted authentication cookie is no longer being accepted as valid after an app pool recycle (even though my cookie is configured to not expire to 10 days and the SecurityStampValidationInterval is set for 10 days and 1 minute.

I've seen something similar in earlier versions of .NET related to a web.config's machine key, but MVC6 doesn't have a system.web section in the web.config for me to put a machine key.

My .NET5 project DNX is targeting the full .NET framework and not .NET Core.

Community
  • 1
  • 1
mituw16
  • 5,126
  • 3
  • 23
  • 48

2 Answers2

7

How have you configured data protection? With IIS and DNX we don't know where to store keys in a persistent manner, unless you load a profile, which isn't the default. So once your app terminates all the keys used to sign the authentication cookies get thrown away. This doesn't happen in IIS Express, because IIS Express loads profiles.

You have a couple of options here. You can either run a provisioning script on the IIS server to create some registry entries ASP.NET can use, or you can configure data protection to use the file system which is what you would do if you were wanting to run multiple hosts.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • I see. I was researching data protection, but I was not able to figure out from the doucmentation that I needed to configure it to use the file system or registry to use persisted keys. Thank you for your assistance! I know .Net 5 is still relatively new, so we're all learning :) – mituw16 Feb 21 '16 at 13:36
  • If you have suggestions on how we can surface this better in docs or templates please let me know. – blowdart Feb 21 '16 at 17:44
  • The docs are great! I got tripped up because I didn't make the 2 + 2 = 4 connection that I needed to persist to the file system (or registry) in order to allow Identity to have it's persisted keys. In reality, the answer was right there, I just didn't see it. I'd been working at the issue for so long I missed the simple answer :) – mituw16 Feb 22 '16 at 13:29
1

EDIT

See @blowdart's answer for a better solution.

For anyone who is encountering the same issue I had, the "fix" that I implemented for this is to set the Idle Timer in IIS to 0, which means never timeout.

I am still searching to try to figure out a real solution, as some hosting environments may not allow the idle timer to be set to 0 (usually shared hosting etc).

mituw16
  • 5,126
  • 3
  • 23
  • 48