I just got pinged on another post because my application doesn’t keep the user logged in after an iisreset.
How do I solve an AntiForgeryToken exception that occurs after an iisreset in my ASP.Net MVC app?
I have to say I agree with the commenter that it is an artificial restriction.
From what I’ve read about Forms Authentication it appears that the logged in session information is all stored in memory and when the server is restarted you lose that information.
What I’d like to do is to simply be able to store that information somewhere, ideally in a database so that I can continue on with my sessions. I can’t seem to find any way to extend it to do that though. Am I missing something? Have I misunderstood how it’s working?
I realise that this is a ‘free’ piece of kit they’re giving us but I’d rather not roll my own because there’s a lot they got right and that I have the potential to screw up with my own solution.
Edit: Note this doesn’t have anything to do with Session state. As far as I know I’m not using session state at all unless something under me in the framework uses it internally.
I realise that the cookies are used by the authentication but they haven’t expired. I’m still getting bounced to the login page after an iisreset though.
Sounds like your problem here is that the
<machineKey />validationKeyanddecryptionKeyattributes are set toAutoGeneratewhich means they’re changing across IIS resets.This means that encrypted persistent forms authentication cookies will no longer be valid the next they’re presented.
You can fix this by manually configuring a fixed
validationKeyanddecryptionKey. To do this take a look at this article:Scroll down to the section on “Web Farm Deployment Considerations” and Generate Cryptographically Random Keys.