ASP.Net Core Identity login status lost after deploy

Question

I am using ASP.Net Core and MS Identity, I try to understand why after each deployment the login users are logged out. I am running on a IIS 8.5

I have been trying the method in this thread (setting static machine key) ASP.NET Identity 2 relogin after deploy by generating static keys at the server level in IIS UI and adding the following to web.config of the website:

<system.web>
    <machineKey validationKey="XXX"
        decryptionKey="XXX"
        validation="SHA1" decryption="AES"/>
</system.web>

However the problem remains:

User logs in
Stop site
Start site
The user needs to log in again

But I also go this:

User logs in
Restart site
The user is still logged in

What can cause the user to be logged off? Any idea on how to avoid that?

Don't update your questions with the solution if you solved it on your own. Post your solution as an answer (it is okay to answer your own questions). As it stands, this will just perpetually stay in the "unanswered" queue. — Chris Pratt, Mar 29 '18 at 15:11

score 39 · Accepted Answer · edited Nov 23 '21 at 09:41

(solution split into a separate answer following Chris comment)

I found a solution to keep the login status, it survives website stop/start, and an update of the website source folder:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
            // This helps surviving a restart: a same app will find back its keys. Just ensure to create the folder.
            .PersistKeysToFileSystem(new DirectoryInfo("\\MyFolder\\keys\\"))
            // This helps surviving a site update: each app has its own store, building the site creates a new app
            .SetApplicationName("MyWebsite")
            .SetDefaultKeyLifetime(TimeSpan.FromDays(90));
}

With these additional lines and the machine key set, the login data stays after site stop/start and IIS server restart, and if the site is rebuilt.

More information there: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

More proposed by justserega: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/advanced?view=aspnetcore-6.0#data-protection

You save my day! More information in deployment documentation https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?tabs=aspnetcore2x#data-protection — Sergei Shvets, Apr 02 '18 at 06:51
It may or may not be fine in a particular use case, but worth highlighting that this solution doesn't encrypt the keys at rest. To do that you'd need to add a ProtectKeysWith* call. — decates, Jul 08 '22 at 12:15

score 9 · Answer 2 · edited Nov 23 '21 at 12:22

Authentication use Data Protection Stack. If data protection isn't configured, the keys are held in memory and discarded when the app restarts.

If the key ring is stored in memory when the app restarts:

All cookie-based authentication tokens are invalidated.
Users are required to sign in again on their next request.
Any data protected with the key ring can no longer be decrypted. This may include CSRF tokens and ASP.NET Core MVC tempdata cookies.

You have to configure data protection, more information here https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/advanced?view=aspnetcore-6.0#data-protection

score 0 · Answer 3 · answered Jul 28 '22 at 22:08

I was able to solve this issue by going into the site's app pool under advanced settings and set "Load User Profile" to true under Process Model.

Then in Startup.cs use:

services.AddSession(options =>
{
    //Set whatever options you want here
    options.Cookie.IsEssential = true;
    options.IdleTimeout = TimeSpan.FromDays(365);
});

...

app.UseSession();

I'm not positive, but services.AddDistributedMemoryCache(); might be needed, helpful or otherwise useful.

I was trying Session State in IIS and machine keys and much, much, more, yet none was needed for just a basic login session persist through a publish or restart.

ASP.Net Core Identity login status lost after deploy

3 Answers3

Linked