1

I have a site that uses FormsAuthentication and yes, the name of the cookie is .ASPAUX :)

I can log in perfectly. The server creates a forms authentication ticket, packs it in a cookie, properly determines the expiration time (1 year ahead) and sends it to the client.

For some reason, after some time, even though the cookie is there yet (I can see it with FireCookies) HttpContext.Current.Request.IsAuthenticated becomes false at the server. It's as if the cookie couldn't be validated.

The problem is: Why would that happen? How can I debug why the cookie suddenly becomes invalid without expiring?

EDIT

Here's the login method:

public static bool Login(int id)
        {
            try
            {
                string securityToken = UserHelper.AuthenticateUser(id);

                DateTime expiryDate = DateTime.Now.AddYears(1);
                FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                     1, id.ToString(), DateTime.Now, expiryDate, true,
                     securityToken, FormsAuthentication.FormsCookiePath);

                string encryptedTicket = FormsAuthentication.Encrypt(ticket);
                HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
                cookie.Expires = expiryDate;

                HttpContext.Current.Response.Cookies.Add(cookie);

                return true;
            }
            catch
            {
                return false;
            }
        }

And the web.config:

<authentication mode="Forms">
            <forms loginUrl="~/Login.aspx" timeout="2880" slidingExpiration="true"/>
        </authentication>
Andre Pena
  • 56,650
  • 48
  • 196
  • 243

2 Answers2

2

Set static machine keys in your web.config to make sure that the encryption key used in generating your ticket survives an application pool being recycled (or your website being restarted in the ASP.NET web server)?

Also see the Forms Authentication Tickets section of this MSDN library article

Neil Fenwick
  • 6,106
  • 3
  • 31
  • 38
  • Is the DEFAULT behavior of the ticket encryption to INVALIDATE tickets just because the server restarted? Isn't it a little bit odd? – Andre Pena Oct 17 '10 at 18:27
  • Thanks by the way. I'll give it a try. I don't exactly know how to assign static machine keys but I'll look after it now. – Andre Pena Oct 17 '10 at 18:28
  • We're close to the solution. Just verified: Restarting the website has no effect, but recycling the Application Pool causes all the forms authentication tickets to expire. I'm going to try the static keys now. – Andre Pena Oct 17 '10 at 18:40
  • I was able to set static keys and now it's no longer sinsible to the application pool recycle, what's already an advantage. New I'll see if it will expiry. – Andre Pena Oct 17 '10 at 19:01
  • Hi @Ciwee, its not so much that the ticket encryption intentionally invalidates the tickets. The ticket is encrypted using the MACHINE KEY and the default for that, unless its explicitly specified, is to auto-generate. So that implies it would be a new key every time the app restarted. – Neil Fenwick Oct 17 '10 at 20:16
0

A few things I can think of to check:

Do you have multiple domains (including www.domain.com vs domain.com)?

If so, either set the domain in the cookie as domain.com or ensure you always use the same domain

Are you using HTTPS?

If so, make sure you're always accessing the cookie via HTTPS or making sure that Secure is set to false on the HttpCookie (otherwise it's only accessible on HTTPS requests)

Are you writing the cookie from a virtual directory?

If so, the "path" on the cookie might be set and it won't be accessible from outside the path.

Do you have multiple web servers?

If so, make sure your machine key is set to the same value (though that should be throwing an exception)

Richard Szalay
  • 83,269
  • 19
  • 178
  • 237