I need an app pool recycle to be completely transparent to the users of my web app.
Currently, upon an IIS 7 App Pool recycle all users logged into my web app are kicked out and are required to log back in (Context.User.Identity.IsAuthenticated is set to false). I employ SQL State Server, I use forms authentication and both are configured to use cookies. I was under the impression that .NET and/or IIS handles authentication of cookies.
However, every time the app pool is recycled Context.User.Identity.IsAuthenticated is set to false (and I’ve no idea where this occurs) my users are kicked out and are required to log back in. I can see that the session id remains the same throughout logins, I can also view this session information in the database/state server.
I can’t tell if this is a session or a cookie problem.
Please Help!
Logon method:
public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
{
if (!ValidateLogOn(userName, password))
{
return View();
}
FormsAuth.SignIn(userName, true); // uses FormsAuthentication.SetAuthCookie(username, true);
Session["userName"] = userName;
if (!String.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
Custom Controller Attribute:
public class CookieAuthorizeAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext lvContext = HttpContext.Current;
if (!lvContext.User.Identity.IsAuthenticated)
{
lvContext.Response.Redirect("~/Account/Logon");
}
else
{
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthentication.RenewTicketIfOld(identity.Ticket);
}
base.OnActionExecuting(filterContext);
}
}
WebConfig:
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Account/LogOn" slidingExpiration="true" name=".ASPXAUTH" requireSSL="false" timeout="2880" />
</authentication>
<modules runAllManagedModulesForAllRequests="true">
<remove name="ScriptModule" />
<remove name="UrlRoutingModule" />
<remove name="Session" />
<remove name="FormsAuthentication" />
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="NHibernateMvcSessionModule" type="EpnNHibernateBase.NHibernateMvcSessionModule, EpnNHibernateBase" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
I was able to find a solution on my own. The problem was not with how authentication was handled programmatically or how I was authenticating users. The problem was with how I had configured the authentication in IIS/web.config.
I carefully followed the steps in the links listed below:
Configuring Forms Authentication (IIS 7) (Branching out on every related section)
Configuring Machine Keys in IIS 7 <– This one in particular
After having followed those steps closely I was able to correctly generate a machine key.
This machine key is as follows (with a fabricated key):
Additionally,
httpModulesandsystem.webServer:modulessections in theweb.configrequired the addition of the following modules:Summary: From what I gather, cookies were being created and encrypted, but because there was no machine key I was unable to unencrypt the cookie, thus causing the need to reauthenticate.