I've got a situation that I'm a little confused by as I cannot replicate it on any of my other environments.
The site is still in development and therefore has practically no traffic other than the two of us working on it. So if the site is in a dormant state (all IIS instances closed etc) when I first log in the IPrinciple doesn't get set correctly (in time?) and so subsequent security checks obviously fail. I can then immediately go back to the login page, perform an identical log in and all is fine.
This also occurs irrespective of which user I test with so it's not specific to an account.
I can then log in and log out with any user accounts and this never occurs again. This never occurs in Development on my local machine and I also have an instance of the system in my local IIS instance I use as a faux staging environment. I only ever see this on an idle Production environment.
What can I do to prevent this situation from ever occurring? Is this also suggesting there maybe an issue elsewhere?
After having done a bit of experimentation it turned out that the problem was only manifesting in Google Chrome. All other browsers were performing as expected.
The solution was actually an oversight on my part. It seems Google Chrome has stricter rules around how cookies are dealt with in relation to domains.
Setting the domain attribute on the authentication cookie fixed the issue and now Google Chrome also logs in as expected.