iis - ASP.NET issues an expired authentication Cookie

Question

I am facing a weird issue with FormsAuthentication's .ASPXAUTH cookie. I migrated a .NET 4.6.2 MVC5 project to .NET 4.8 which is making use of FormsAuthentication and everything seem to work as expected beside authentication cookie issued by FormsAuthentication.

I am able to login into application successfully, if I use the developer tools and explore cookies in browser. I can see that browser has appropriate .ASPXAUTH cookie set along with max-age=session and path=/. This is all working as expected so far everything good. If I start browsing different pages in the application, all of sudden I am kicked out to the Login page.

An inspection of traffic between IIS and Browser through Fiddler suggests that application returns the expired authentication cookie randomly which overwrites the valid cookie. This causes a forced logout and session is dropped.

This is what I have in my web.config.

<authentication mode="Forms">
      <forms slidingExpiration="true" name=".ASPXAUTH" loginUrl="~/Login" defaultUrl="~/default" timeout="15"/>
</authentication>
<sessionState mode="InProc" cookieName=".SESSIONID" timeout="15"/>
<anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="1440"/>

• Website is hosted in localhost running Windows 10 Professional, IIS 10
• I looked at the application pool event log and it was only shutdown due to inactivity.

A worker process with process id of '10832' serving application pool 'mywebsite.com' was shutdown due to inactivity. Application Pool timeout configuration was set to 20 minutes. A new worker process will be started when needed.

• We are not reissuing the authentication cookie manually anywhere beside the login form.

Here are the steps explaining what is happening

1. I go to Login page and enter username/password.

2. The codes issues the Authentication Cookie using following code

   FormsAuthentication.SetAuthCookie(model.UserName, false);

3. User is sent to protected pages and I am able to confirm in Browser Cookies that a valid .ASPXAUTH cookie is set for the user.

4. I navigate few protected pages, everything seem to work as expected.

5. All of sudden when I try to open a page, browser is severed with an expired Authentication cookie.

   Set-Cookie: .ASPXAUTH=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly; samesite=Lax;

6. This causes the Browser to remove .ASPXAUTH cookie resulting in lost session.

I have spent several hours trying to find out what could be causing this behavior but no luck. I have seen other people experiencing similar problem but no solution.

Update: The issue stopped happening after two days. After trying debugs in Fiddler, inspection of IIS logs and searching around internet for similar issues. I think it was linked to use of secure cookies. I enabled secure cookies on website for some tests and then reverted the updates shortly. @Scott Hanselman have an article that points in this direction, though in my case I was not setting the cookie manually.

Weird Timeouts with custom ASP.NET FormsAuthentication

question from:https://stackoverflow.com/questions/65936781/asp-net-issues-an-expired-authentication-cookie

Answer 1

      <authentication mode="Forms" >
      <forms name="NAME" loginUrl="YOUR_LOGIN_URL" timeout="3000"></forms>
  </authentication>

you can add this piece of code inside your Web.config

--notice timeout attribute is from minute