0

I have an ASP.NET Core 2.2 application running in a B1 instance in Azure App Services. If I log into the website, and open it on another machine, I am logged in on that machine too, including access to all pages protected by Authorization. When I log out on the second machine I'm not automatically logged back in until I clear the browser cache and restart the browser.

A similar issue was described here, but was never really answered: ASP.NET Core identity shared across browser

This behavior seems to be somehow related to be running in an Azure App Service (Linux). I had the site running in a Docker image on a normal Linux VM (Ubuntu 18.04, official MS Docker image) before, and did not encounter this problem.

Here is all code from Startup.cs that could be relevant:

public void ConfigureServices(IServiceCollection services)
        {
[...]
 services.Configure<CookiePolicyOptions>(
                options =>
                {
                    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                    options.CheckConsentNeeded = _ => false;
                    options.MinimumSameSitePolicy = SameSiteMode.None;
                });
[...]
services.AddIdentity<User, IdentityRole>()
                .AddErrorDescriber<TopikonIdentityErrorDescriber>()
                .AddEntityFrameworkStores<TopikonContext>()
                .AddDefaultTokenProviders();
            services.AddAuthentication();
            services.AddAuthorization(
                options =>
                {
                    options.AddPolicy(
                        TopikonPolicies.ControlPanel,
                        policy => policy
                            .RequireRole(TopikonRoles.ControlCenterAccess));                    
                });

services        .AddMvc()                
                .AddRazorPagesOptions(
                    options =>
                    {
                        options.AllowAreas = true;
                        options.Conventions.AuthorizeFolder("/");                       
                    }).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

[...] }

public static void Configure(IApplicationBuilder app, IHostingEnvironment env){
[...]
app.UseCookiePolicy();
app.UseAuthentication();
app.UseSession();
app.UseMvc();
}

App Service Authentication is switched on and set to "Allow Anonymous". I tried switching it off, but the result was the same. I'd like users to be logged in only on the machine they are using, and not to provide their login to everyone visiting the site. Unfortunately I'm not quite sure where to look for answers.

stipps
  • 41
  • 1
  • 1
  • This is.. somewhat odd? Just out of curiosity.. did you try turning off ARR (session affinity) for your app service? Probably has nothing to do but.. I would eliminate that first – jpgrassi Aug 23 '19 at 11:21
  • @jpgrassi Interesting, ARR was turned off. I turned it on, and as far as I can tell this fixed the problem. Was not aware of this setting at all. I will test it further to make sure this was the solution. Thanks a lot! – stipps Aug 23 '19 at 11:39
  • No worries. But consider this because it might have an impact on your services. With ARR enabled the load is not distributed "smartly" across nodes anymore. That might be okay or not, depending on your requirements. – jpgrassi Aug 23 '19 at 11:41
  • @jpgrassi At the moment that will not be a problem. Either way, I'll have a look if there is any documentation of how to use ASP.NET Core Identity with ARR switched off. – stipps Aug 23 '19 at 12:10
  • Unfortunately turning on ARR did not resolve the problem completely. Just tested on a PC that never opened the site, and the user was directly logged in .. – stipps Sep 02 '19 at 09:14
  • Can you output the datetime on a page, and check it gets refreshed. If it does, then atleast you can rule out a caching issue. – MindingData Sep 04 '19 at 19:03
  • @MindingData Excellent idea. Just did that, turns out that I get the correct date time, not a cached one. So the problems seems to be with ASP.NET Core – stipps Sep 06 '19 at 06:35
  • @stipps how did you solve the problem ? could you please share ? I'm having the same problem. – Josep Dec 22 '20 at 21:50
  • @Josep After length troubleshooting with the Azure support we 'just' migrated the app to dotnet core 3.1, which eliminated the problem for us. Unfortunately we never found the root cause. – stipps Dec 22 '20 at 21:53
  • Thanks @stipps, it's very strange, as in my case, it'a a dotnet core 3.1 app. – Josep Dec 23 '20 at 07:30

0 Answers0