1

I have been having issues where users will sometimes be logged before they should have reached timeout, sometimes just a few minutes after logging in. It worked fine in lower environment until we got to prod. Users are launching the site in a Citrix IE app. I'm using ASP.NET MVC 5 with Identity Framework. Here is how I'm setting up the auth cookie:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Authentication/Index"),
    ExpireTimeSpan = TimeSpan.FromHours(4),
    SlidingExpiration = true,
    Provider = new CookieAuthenticationProvider()
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            TimeSpan.FromSeconds(5),
            (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

In the web.config I have session state configured as InProc with a timeout of 240 minutes. IIS is configured to only restart the site at 1am and to shutdown worker processes if it's been idle for 2 hours. The site is hosted on a single server with failover to a secondary server. I've validated in the IIS logs that we've never hit the secondary server. I also have logging turned on all the logging for IIS recycles to make sure a recycle isn't occurring. I was using the standard AuthorizeAttribute but am now inheriting from it to provide some logging for when the problem occurs. In my log I see that .AspNet.ApplicationCookie is created when users login but is gone when the error occurs but I do see other cookies.

I've been googling it for a couple hours and can't find anything that matches. What would cause this cookie to be deleted?

EDIT: Here is what is in the web.config

<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="240">
Belaroth
  • 31
  • 7
  • I bet it is InProc setting – Chizh Jul 05 '16 at 19:09
  • Check my answer here: http://stackoverflow.com/a/36440655/3743442 – Hadee Jul 05 '16 at 20:58
  • @Hadee, I've verified that the app pool isn't recycling and that I'm only hitting one server. Are there other reasons to set the MachineKey? According to the MSDN you reference, those are the default values for the MachineKey. If I was going to set it in the web.config wouldn't I want to generate one? – Belaroth Jul 06 '16 at 18:14
  • You don't need to create one. Generally it is enough. But If you want to create your own, you can use two links I provided at the end of my answer. – Hadee Jul 06 '16 at 20:51
  • @Hadee, why would that change anything? It's not changing any values. – Belaroth Jul 07 '16 at 21:19
  • Because it is "AutoGenerate" !. – Hadee Jul 07 '16 at 22:14
  • I tried adding a MachineKey but it didn't fix the problem. I think the SecurityStamp in the db isn't matching what's in the cookie. But I don't know what the user could be doing that would cause that. – Belaroth Jul 12 '16 at 21:37

0 Answers0