0

Recently I created my new website in .net core 2.0 and I'm using a persistent cookie in authentication. I'm also using persistent culture cookie for language.

my website hosted in azure shared pool and I didn't specify any machine key.

Problem. When I re-open my website after few hours of inactivity (new browser) I lost my auth cookie and I need to log in again but culture cookie works as per the last session.

I also setup Application Insights availability to keep warm up my application (ping website in every 10 min from 2 different location).

LoginController

if (this.accountService.ValidateOTP(phoneNumber, otp))
        {
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.MobilePhone, phoneNumber),
                new Claim(ClaimTypes.Name, phoneNumber)
            };
            var userIdentity = new ClaimsIdentity("Custom");
            userIdentity.AddClaims(claims);
            ClaimsPrincipal userPrincipal = new ClaimsPrincipal(userIdentity);

            //await HttpContext.SignOutAsync("AnimalHubInstance");
            await HttpContext.SignInAsync(
                CookieAuthenticationDefaults.AuthenticationScheme,
                userPrincipal,
                new AuthenticationProperties
                {
                    IsPersistent = true,
                    ExpiresUtc = DateTime.Now.AddYears(1),
                });
}

Startup

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(option =>
            {
                option.LoginPath = new PathString("/Account/Unauthorized");
                option.LogoutPath = new PathString("/Account/Logout");
                option.Cookie.Name = ".myAuth";
                option.ExpireTimeSpan = TimeSpan.FromDays(365);
                option.Cookie.Expiration = TimeSpan.FromDays(365);
            });

enter image description here

Pankaj Rawat
  • 4,037
  • 6
  • 41
  • 73
  • I noticed that the auth and culture cookie is used for localhost. Does this issue only occur when your application deployed to azure web app? Also you could [configure data protection](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview) or scale up your pricing tier to basic or higher to narrow this issue.Additionally, you could enable **Always On** feature to keep your app loaded all the time, and your web app need to under Basic or Standard mode, details you could follow [here](https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure). – Bruce Chen Nov 30 '17 at 05:33
  • @BruceChen as of now I can't go with basic or higher. I think this issue only coming on Azure (now I'm creating new instance to dig more detail). I setup Application Insights availability to keep my site warn up. after restart, my application still working (keep signin and maintain culture) – Pankaj Rawat Nov 30 '17 at 08:28

2 Answers2

1

You need to use the data protection to persist your session encryption keys.

When hosting apps in Azure App Service or IIS in general (in VM or on-premises), IIS will recycle apps and app pools on inactivity. So if your app doesn't get hit for a specific amount of time, it will be shut down and started again on next connection.

When this happens, new encryption keys will be generated for session and your previous session will be invalid.

Tseng
  • 61,549
  • 15
  • 193
  • 205
  • I partially agree with you. but I setup "Application Insights availability" to warm up my application (ping website in every 10 min from 2 different location). I'm also going to try data protection api... – Pankaj Rawat Nov 30 '17 at 04:24
1

When I re-open my website after few hours of inactivity (new browser) I lost my auth cookie and I need to log in again but culture cookie works as per the last session.

The value of your culture cookie is just urlencoded. As Tseng said that the machine key for hashing and encryption may automatically re-generate at some points. I assumed that this issue caused by the pricing tier you chose. For Free and Shared tier, you application would run on shared infrastructure and you only have the limited resources(e.g. CPU time, RAM, disk space) and no SLA.

App Service limits:

enter image description here

Moreover, I tried to restart the website and recycle the application pool on my local side, the authentication cookie could still work as expected. For my web app hosting under the basic pricing tier, I do not encounter this issue until now.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35