tags:

views:

50

answers:

2
+3  Q: 

What could cause an asp.net application to forget a user?

I've got an asp.net application which seems to forget that a user is logged in after a while.

I'm using the membership provider and when opt to "remember" the log in it remembers it during the session. I can even close the browser, restart and come back and it will still be logged in. But after a while it forgets and it seems to do it at any old time. I've once been logged in and when I went to a new page it was logged out.

The other strange things are:

  1. On my development machine it remembers the log in forever. Even after IIS restarts and recompiles it will remember my login as expected.
  2. I have another application on the same server that does remember the login forever. I compared how they handle login and they seem to be identical.

This leads me to believe that the issue has something to do with the server or perhaps something in the application not directly related to the login and membership code. What could I look at?

Edit: Looked up the cookie using Fiddler and they seem to be ok. An Authentication cookie created today expires 2 weeks from now, which is how my config is set up: expires=Mon, 06-Sep-2010 01:47:51 GMT

Edit: The problem seems to be that the app pool is recycling and the authentication cookie becomes invalid because it can no longer be read as the machine key has changed. The solution was to add a machineKey segment to the web.config and supply a static machine key.

+3  A: 

"Remember me" functionality is done using cookies. Cookies can be set with an expiration date. You need to look into how the cookie is being set (Fiddler is good for this, you can inspect the HTTP header when the cookie is set.)

Dave Swersky  2010-08-22 20:26:06
The expiration date seems to be ok. I'm looking into the machinekey and app pool recycling as another person mentioned. Seems to be what I'm seeing, but not sure why one app would be affected and another is fine.
metanaito  2010-08-23 03:23:02
+3  A: 

There are two major possibilities.

  1. Cookie expiration. If the cookie expires / goes away, then you are considered logged out.

  2. Cookie invalidation. Login cookies are encrypted based on the machineKey value. If you do not specify a machineKey, a new one is regenerated each time the application pool starts up (or is recycled). That means that any login cookie encrypted with the old machineKey is now invalid, and you will not be considered logged in.

Check to see what the recycle settings are on your application pool in IIS and see if that corresponds with the timing of you not being logged in.

Pixel  2010-08-22 23:54:57
I checked the cookie expiration and it seems ok (expires in 2 weeks as expected). The second item you wrote seems like it could be what I'm seeing. I guess I should do some reading on login cookies and machinekey.
metanaito  2010-08-23 02:08:43
Cookie invalidation seems to be the cause. I added a static machineKey to the web.config and it hasn't forgotten my login yet.
metanaito  2010-08-24 06:44:09

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps