Search code examples
asp.netasp.net-mvcsession-state

MVC - Users must reauthenticate on IIS Recycle


I need an app pool recycle to be completely transparent to the users of my web app.

Currently, upon an IIS 7 App Pool recycle all users logged into my web app are kicked out and are required to log back in (Context.User.Identity.IsAuthenticated is set to false). I employ SQL State Server, I use forms authentication and both are configured to use cookies. I was under the impression that .NET and/or IIS handles authentication of cookies.

However, every time the app pool is recycled Context.User.Identity.IsAuthenticated is set to false (and I've no idea where this occurs) my users are kicked out and are required to log back in. I can see that the session id remains the same throughout logins, I can also view this session information in the database/state server.

I can't tell if this is a session or a cookie problem.

Please Help!

Logon method:

public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
    {
        if (!ValidateLogOn(userName, password))
        {
            return View();
        }

        FormsAuth.SignIn(userName, true);  // uses FormsAuthentication.SetAuthCookie(username, true);
        Session["userName"] = userName;

        if (!String.IsNullOrEmpty(returnUrl))
        {
            return Redirect(returnUrl);
        }
        else
        {
            return RedirectToAction("Index", "Home");
        }
    }

Custom Controller Attribute:

public class CookieAuthorizeAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext lvContext = HttpContext.Current;

            if (!lvContext.User.Identity.IsAuthenticated)
            {
                lvContext.Response.Redirect("~/Account/Logon");
            }
            else
            {
                FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
                FormsAuthentication.RenewTicketIfOld(identity.Ticket);
            }

        base.OnActionExecuting(filterContext);
    }
}

WebConfig:

<authentication mode="Forms">
  <forms cookieless="UseCookies" loginUrl="~/Account/LogOn" slidingExpiration="true" name=".ASPXAUTH" requireSSL="false" timeout="2880" />
</authentication>

<modules runAllManagedModulesForAllRequests="true">
  <remove name="ScriptModule" />
  <remove name="UrlRoutingModule" />
  <remove name="Session" />
  <remove name="FormsAuthentication" />
  <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  <add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  <add name="NHibernateMvcSessionModule" type="EpnNHibernateBase.NHibernateMvcSessionModule, EpnNHibernateBase" />
  <add name="Session" type="System.Web.SessionState.SessionStateModule" />
  <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>

Solution

  • I was able to find a solution on my own. The problem was not with how authentication was handled programmatically or how I was authenticating users. The problem was with how I had configured the authentication in IIS/web.config.

    I carefully followed the steps in the links listed below:

    Configuring Forms Authentication (IIS 7) (Branching out on every related section)

    Configuring Machine Keys in IIS 7 <-- This one in particular

    After having followed those steps closely I was able to correctly generate a machine key. This machine key is as follows (with a fabricated key):

    <machineKey decryptionKey="ASDF3WS545AS5D4F8254A12DAFA5SDF7,IsolateApps" validation="3DES" validationKey="A65A6S5DF46ASD4F89WEF6SAD2F4A68EF4AW65F4D3A2F4AS6DF89A98D4F6A5SD4F6A5SDF46ASD8F4A6S5DF46AS5D4F6AS5DF49AS8DF46AS5D4F6AS5DF46SAD5F,IsolateApps" />
    

    Additionally, httpModules and system.webServer:modules sections in the web.config required the addition of the following modules:

    <remove name="Session" />
    <remove name="FormsAuthentication" />
    <add name="Session" type="System.Web.SessionState.SessionStateModule" />
    <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
    

    Summary: From what I gather, cookies were being created and encrypted, but because there was no machine key I was unable to unencrypt the cookie, thus causing the need to reauthenticate.