ASP.Net Core Identity login status lost after deploy

Question

I am using ASP.Net Core and MS Identity, I try to understand why after each deployment the login users are logged out. I am running on a IIS 8.5

I have been trying the method in this thread (setting static machine key) ASP.NET Identity 2 relogin after deploy by generating static keys at the server level in IIS UI and adding the following to web.config of the website:

<system.web>     <machineKey validationKey="XXX"         decryptionKey="XXX"         validation="SHA1" decryption="AES"/> </system.web> 

However the problem remains:

• User logs in
• Stop site
• Start site
• The user needs to log in again

But I also go this:

• User logs in
• Restart site
• The user is still logged in

What can cause the user to be logged off? Any idea on how to avoid that?

Answer 1

(solution split into a separate answer following Chris comment)

I found a solution to keep the login status, it survives website stop/start, and an update of the website source folder:

public void ConfigureServices(IServiceCollection services) {     services.AddDataProtection()             // This helps surviving a restart: a same app will find back its keys. Just ensure to create the folder.             .PersistKeysToFileSystem(new DirectoryInfo("\\MyFolder\\keys\\"))             // This helps surviving a site update: each app has its own store, building the site creates a new app             .SetApplicationName("MyWebsite")             .SetDefaultKeyLifetime(TimeSpan.FromDays(90)); } 

With these additional lines and the machine key set, the login data stays after site stop/start and IIS server restart, and if the site is rebuilt.

More information there: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

More proposed by justserega: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/advanced?view=aspnetcore-6.0#data-protection