问题
I'm having problems with using a persistent AuthCookie. The validation and login works perfectly and if i close the browser and re-open it the authentication is still valid no redirect to the login page is done. I'm not sure what the exact time is but let's say that if close the browser without logging off and only reopen it 20 minutes later I'll be redirected to the login page even though the cookie is set when I check with web developer tools and it's expiration date is one month from now.
All i'm doing after validating the users credentials is
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
And in my Web.Config I have it set like
<configuration>
<system.web>
...
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Utilizador/Login" name="SMOAuth" slidingExpiration="true" timeout="43829"/>
</authentication>
...
Also tried to hard-code the machine key as suggested here and a few other places, but to no effect
<machineKey validationKey="Validation_Key_Here" decryptionKey="Decrypt_Key_Here" validation="SHA1" decryption="AES"/>
I'm having a hard time trying to figure this out
回答1:
//this line is NOT ENOUGH for "remember me" to work!!!
FormsAuthentication.SetAuthCookie(userName, true); //DOESN'T WORK!
//###########
//you have to save the "remember me" info inside the auth-ticket as well
//like this:
DateTime expires = DateTime.Now.AddDays(20); //remember for 20 days
//create the auth ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
userName,
DateTime.Now,
expires, // value of time out property
true, // Value of IsPersistent property!!!
String.Empty,
FormsAuthentication.FormsCookiePath);
//now encrypt the auth-ticket
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
//now save the ticket to a cookie
HttpCookie authCookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
encryptedTicket);
authCookie.Expires = expires;
//feed the cookie to the browser
HttpContext.Current.Response.Cookies.Add(authCookie);
回答2:
Check your IIS settings.
1) By default IIS 7 (and IIS 8 as well if memory serves) generates the unique encryption key per application pool at runtime. Generation at runtime means that the key is regenerated whenever app pool restarts. Meaning the persistent cookie generated before app pool restart won't be decrypted after the app pool restart, user won't be able to authenticate with the old cookie and will be taken to the login page.
2) IIS has default idle timeout - 20 minutes. Meaning that if the app does not receive a single request in 20 mins, the app pool will shut down. Then it will start anew when a request comes in.
The combination of the above two settings can lead to the behavior that you described.
PS. you may also want to check the Application event log - if it is indeed decryption failing, you will have an exception in there - something in lines of "Unable to validate data"
来源:https://stackoverflow.com/questions/29922761/persistent-authcookie-is-set-but-being-redirected-to-login