by Peter Taylor
11. July 2011 10:14
I was having a problem with a new ASP.NET 2010 site, when a user logged in and the authentication timeout was set to.
<forms timeout="1440" slidingExpiration="true" />
but after 10 minutes the site would log the user out.
This issue had never happened on ASP.NET 2008.
My test rig was Windows Server 2008 R2 with IIS and .NET4, and it showed no sign of this issue.
The issue only showed when it was deployed to the customers site where is was running on a Windows Server 2003 server with IIS and .NET4
It turns out that when IIS recycles the sessions for .NET4 applications on Windows Server 2003 machines, it also updates the machine key.
The machine key is a core part of the authentication cookie and when the key is reset the current cookie becomes invalid, logging the users out.
The fix is to generate your own machine key and state it in your web.config, this will stop the changing key as ASP.NET will use the web.config version.
The Machine Key tag
<machineKey validationKey="##" decryptionKey="##" validation="SHA1" decryption="AES" />
Milan Negovan has a tool on his website, allowing you to generate keys for the machineKey.
Subscribe