Whenever I updated my ASP.NET Core RC2 website running on as an Azure Web App, it logs out all users. It seems to be related to swapping a staging deployment slot to production (I use web deploy from VS to staging, and have it set to auto-swap to production). If I do a direct update of the production slot it's fine, but I don't want to do that. I am at a loss as to how to configure this, help would be appreciated!
Here is how I have it configured right now, my site only allows logging in directly (no facebook login etc.):
In ConfigureServices in Startup
// found some post that said this would help... doesn't seem to work...
services.AddDataProtection()
.SetApplicationName("myweb");
services.AddIdentity<MyUser, MyRole>(options =>
{
options.Cookies.ApplicationCookie.CookieDomain = settings.CookieDomain; // cookie domain lets us share cookies across subdomains
options.Cookies.ApplicationCookie.LoginPath = new PathString("/account/login");
options.Cookies.ApplicationCookie.ReturnUrlParameter = "ret";
options.Cookies.ApplicationCookie.CookieSecure = CookieSecureOption.Never; // TODO: revisit site-wide https
// allow login cookies to last for 30 days from last use
options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromDays(60);
options.Cookies.ApplicationCookie.SlidingExpiration = true;
// I think this needs to at least be longer than cookie expiration to prevent security stamp from becoming invalid before the cookie?
options.SecurityStampValidationInterval = TimeSpan.FromDays(90);
})
.AddUserStore<MyUserStore>() // custom stores to hook up our old databases to new identity system
.AddRoleStore<MyRoleStore>()
.AddDefaultTokenProviders();
And in Configure in Startup
app.UseIdentity();
After much research... I think that I have this working.
So for anyone who wants an ASP.NET Core RC2 website that uses the Identity stuff for login, and wants to host it on an Azure Web App, and wants to use the Deployment Slots to do updates via swapping, and doesn't want every user to get logged out every time the website is updated... read on!
** Usually, Azure gives you some magical default configuration that makes all of the instances in a single Web App work together. The issue with deployment slots is that it essentially acts like two completely separate Web Apps, so all the magic is gone.
You need to configure Data Protection correctly to make this work. It is a bit confusing because the documentation for .NET Core Identity makes no explicit mention of depending on or requiring that you configure Data Protection correctly, but it does. Data Protection is what it uses under the hood to encrypt the application login cookie.
The following code is needed in ConfigureServices:
services.AddDataProtection()
.SetApplicationName("myweb")
.ProtectKeysWithCertificate("thumbprint");
services.AddSingleton<IXmlRepository, CustomDataProtectionRepository>();
Explanation of each piece:
And OMG finally we have it working. Enjoy the 500% decrease in lost password customer service requests ;)