Tuesday, 31 October 2006

Cookie Timeout Problem

JeffI recently had a problem where for some reason my Cookies were timing out before the time I set in the forms timeout tag.

Background

ASP.NET 2.0 site with forms auth using Active Directory Membership provider and the ASP Login Control. IIS 6.0 with separate App Pool being run by a custom domain account.

Following in Web.Config:

<membership defaultProvider="MyADMembershipProvidor">
<providers>
<add name="MyADMembershipProvidor" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" enableSearchMethods="true" />
</providers>
</membership>

<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="50000000" slidingExpiration="true" loginUrl="FormsLogin.aspx" />
</authentication>

<sessionState timeout="30">
</sessionState>

Problem

Everything works fine so I could authenticate using forms auth on the site and this would use AD fine. However once I left the page idle for 20min I clicked on a link and would be redirected back to the login page to authenticate. This was the same problem for both persistent and non-persistent cookies.

Solution

After spending some time thinking I was going mad I created a simple test harness. I used this to play around with the forms timeout, session timeout and roles cookie timeout. If I used a forms timeout value that was less than 20min all would work as expected, however using a value greater than 20min would not work and after 20min I would still be required to log in again.

After about a day of debugging I finally tracked the problem down to the worker process shutting down after 20min idle time. This config setting is found in the properties of the worker process under performance. If I unchecked this everything worked as expected. So the issue is around the App Pool recycling.

I found this article about invalid viewstate after an App Pool recycling when the identity is not Network Service.

So a known ASP.NET bug is the decryption and validation keys used for encryption are not maintained between App Pool recycling if the identity is not Network Service. So any encryption performed using these keys will not be valid after the App Pool is recycled, this will include any encrypted cookies.

Finally I had found the problem - When the App Pool recycles the keys are not maintained and new ones are generated, this results in any encrypted cookies, including the forms auth cookie not being decrypted on any subsequent requests from the browser and they are discarded.

To resolve this I edited the machine.config with a static decryption and validation key using this console app.

Everything is working fine now :)

4 comments:

uiyui said...

Youth is warcraft leveling not a time of life;warcraft leveling it is a wow lvl state of mind; wow power level it is not power leveling amatter of World of warcraft Power Leveling rosy cheeks, red wrath of the lich king power leveling lips and supple knees;WOTLK Power Leveling it is a matter of thewill,wlk Power Leveling a quality of buy aoc gold the imagination,aoc gold a vigor of the emotions; it is thefreshness of the deep springs wow gold of life. Youth means a tempera-mental maplestory mesos predominance of courage over timidity, of the appetite formaple story mesos adventure over the love of ease. wow gold This often existsin a man of 60 more than a boy of 20. Nobody grows old merely by anumber of years.

Adi said...

Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa pages. Thank you So much.

jeevanbhardwaj said...

Well done. We are impressed with the excellence of the information supplied. I expect that you keep up with the outstanding job accomplished.
Locksmith Santa Ana CA
Norwalk CT locksmith
Locksmith Richmond CA
RedwoodCity locksmith
RedwoodCity locksmith
Locksmith RedwoodCity CA
Locksmith RedwoodCity CA
plano locksmith
plano locksmith
plano locksmith
plano locksmith
plano locksmith
plano locksmiths
plano locksmiths
plano locksmith
locksmith miami fl
locksmith miami fl
locksmith irvine ca
locksmith miami fl
locksmith miami fl
locksmith miami fl
Aventura FL locksmith
locksmith miami fl
Aventura FL locksmith
Aventura FL locksmith
locksmith miami beach
locksmith miami beach fl
locksmith miami beach fl

abercrombiefitch said...

Thank you for your article to share with us, our online store Nike Outlets, have a good product Nike Air Max shoes, interested welcome to come in and see 2011 Cheap Nike Air Max Online Store, Hot products: Mens Nike Air Presto 2009 Gray Red Training Shoes. Best Nike Shoes Where can you buy UGG Outlet Store?.