Is there no way to extend ASP.Net Forms Authentication so that sessions can extend past an iisreset?

Question

I just got pinged on another post because my application doesn't keep the user logged in after an iisreset.

How do I solve an AntiForgeryToken exception that occurs after an iisreset in my ASP.Net MVC app?

I have to say I agree with the commenter that it is an artificial restriction.

From what I've read about Forms Authentication it appears that the logged in session information is all stored in memory and when the server is restarted you lose that information.

What I'd like to do is to simply be able to store that information somewhere, ideally in a database so that I can continue on with my sessions. I can't seem to find any way to extend it to do that though. Am I missing something? Have I misunderstood how it's working?

I realise that this is a 'free' piece of kit they're giving us but I'd rather not roll my own because there's a lot they got right and that I have the potential to screw up with my own solution.

Edit: Note this doesn't have anything to do with Session state. As far as I know I'm not using session state at all unless something under me in the framework uses it internally.

I realise that the cookies are used by the authentication but they haven't expired. I'm still getting bounced to the login page after an iisreset though.

Answer 1

Sounds like your problem here is that the <machineKey /> validationKey and decryptionKey attributes are set to AutoGenerate which means they're changing across IIS resets.

This means that encrypted persistent forms authentication cookies will no longer be valid the next they're presented.

You can fix this by manually configuring a fixed validationKey and decryptionKey. To do this take a look at this article:

How To: Configure MachineKey in ASP.NET 2.0

Scroll down to the section on "Web Farm Deployment Considerations" and Generate Cryptographically Random Keys.

Answer 2

The Authentication session and the 'Session State' (Where anti forgeries tokens are tracked) are two completely seperate things in ASP.NET.

Authentication is tracked by a cookie in the browser (usually) and so will not be afected by iis restart.

Session State is, by default, stored in memory (where it will be killed by restart), but can be stored easily in SQL Server or a dedicated State Server process (which will both survice iis restarts).