FormsAuthentication AppPool restarts and machineKeys
This seems like a pretty common problem but I’m documenting this here so I can point people to it.
The symptoms are that people are being logged out before the timeout that you set on the FormsAuthentication cookie. For example: You set the cookie timeout to 1 hour – but people are logged out after 20 minutes.
This is normally caused by overly aggressive AppPool process recycling. By default a worker process is shutdown after 20 mins of inactivity – this should definitely be changed for productions apps. I normally disable the timeout shutdown and schedule a AppPool restart at 3am each day.
With the default ASP.NET configuration users will be forced to re-authentication every time the AppPool starts/restarts - even if their previously issued auth cookie hasn’t expired. This is because ASP.NET generates a machineKey on startup unless one is specified in the <machineKey> section of web.config. This is used to encrypt the authentication cookie. If it changes then any previously issued cookies will not be valid. Authentication will fail and users will be redirected to the login page.
The whole flow looks like this:
- Initial Application startup. ASP.NET generates a machinekey for the app.
- FormsAuthentication encrypts the auth cookie with the generated machine key.
- User is logged in for 20 mins (or whatever timeout you specify).
The AppPool recycles – ASP.NET starts up again and generates a new machineKey. - User requests a new page – the auth cookie fails to decrypt – authentication failed and the user is redirected to the login page.
The solution is simple – provide a <machineKey> in your web.config so that the same key is used between restarts. Here’s some help with that:
http://www.developmentnow.com/articles/machinekey_generator.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312906
No Comments Yet