Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MVC - Users must reauthenticate on IIS Recycle

I need an app pool recycle to be completely transparent to the users of my web app.

Currently, upon an IIS 7 App Pool recycle all users logged into my web app are kicked out and are required to log back in (Context.User.Identity.IsAuthenticated is set to false). I employ SQL State Server, I use forms authentication and both are configured to use cookies. I was under the impression that .NET and/or IIS handles authentication of cookies.

However, every time the app pool is recycled Context.User.Identity.IsAuthenticated is set to false (and I've no idea where this occurs) my users are kicked out and are required to log back in. I can see that the session id remains the same throughout logins, I can also view this session information in the database/state server.

I can't tell if this is a session or a cookie problem.

Please Help!

Logon method:

public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
    {
        if (!ValidateLogOn(userName, password))
        {
            return View();
        }

        FormsAuth.SignIn(userName, true);  // uses FormsAuthentication.SetAuthCookie(username, true);
        Session["userName"] = userName;

        if (!String.IsNullOrEmpty(returnUrl))
        {
            return Redirect(returnUrl);
        }
        else
        {
            return RedirectToAction("Index", "Home");
        }
    }

Custom Controller Attribute:

public class CookieAuthorizeAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext lvContext = HttpContext.Current;

            if (!lvContext.User.Identity.IsAuthenticated)
            {
                lvContext.Response.Redirect("~/Account/Logon");
            }
            else
            {
                FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
                FormsAuthentication.RenewTicketIfOld(identity.Ticket);
            }

        base.OnActionExecuting(filterContext);
    }
}

WebConfig:

<authentication mode="Forms">
  <forms cookieless="UseCookies" loginUrl="~/Account/LogOn" slidingExpiration="true" name=".ASPXAUTH" requireSSL="false" timeout="2880" />
</authentication>

<modules runAllManagedModulesForAllRequests="true">
  <remove name="ScriptModule" />
  <remove name="UrlRoutingModule" />
  <remove name="Session" />
  <remove name="FormsAuthentication" />
  <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  <add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  <add name="NHibernateMvcSessionModule" type="EpnNHibernateBase.NHibernateMvcSessionModule, EpnNHibernateBase" />
  <add name="Session" type="System.Web.SessionState.SessionStateModule" />
  <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
like image 851
alan Avatar asked Oct 18 '10 15:10

alan


People also ask

What happens when IIS application pool recycle?

What is application pool recycling in IIS? Recycling means that the worker process that handles requests for that application pool is terminated and a new one is started. This is generally done to avoid unstable states that can lead to application crashes, hangs, or memory leaks.

Does restarting IIS recycle application pools?

Does IISRESET recycle the application pools? The correct answer is no. Instead, IISRESET causes the shutdown of all active IIS worker processes, kills them if they do not stop in time.

How often does IIS recycle app pool?

You can specify that IIS recycle an application pool at set intervals (such as every 180 minutes), at a specific time each day, or after the application pool receives a certain number of requests.


2 Answers

I was able to find a solution on my own. The problem was not with how authentication was handled programmatically or how I was authenticating users. The problem was with how I had configured the authentication in IIS/web.config.

I carefully followed the steps in the links listed below:

Configuring Forms Authentication (IIS 7) (Branching out on every related section)

Configuring Machine Keys in IIS 7 <-- This one in particular

After having followed those steps closely I was able to correctly generate a machine key. This machine key is as follows (with a fabricated key):

<machineKey decryptionKey="ASDF3WS545AS5D4F8254A12DAFA5SDF7,IsolateApps" validation="3DES" validationKey="A65A6S5DF46ASD4F89WEF6SAD2F4A68EF4AW65F4D3A2F4AS6DF89A98D4F6A5SD4F6A5SDF46ASD8F4A6S5DF46AS5D4F6AS5DF49AS8DF46AS5D4F6AS5DF46SAD5F,IsolateApps" />

Additionally, httpModules and system.webServer:modules sections in the web.config required the addition of the following modules:

<remove name="Session" />
<remove name="FormsAuthentication" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />

Summary: From what I gather, cookies were being created and encrypted, but because there was no machine key I was unable to unencrypt the cookie, thus causing the need to reauthenticate.

like image 160
alan Avatar answered Sep 26 '22 02:09

alan


have you tried storing the sessions in a database so they are persistent even if the process is recycled? see here for howto

like image 26
AndreasKnudsen Avatar answered Sep 26 '22 02:09

AndreasKnudsen