8

I have two websites with self written membership providers that are hostet on the same server in the same Web in different web-applications and different application pools.

Formerly I had the problem, that I could not log on on both sites together. Thanks to Remy's post, this works now, I had to add the name-attribute to the forms element.
But now I have the problem that the remember-me option of the asp login-control stopped to work. The user is logged off after the normal session-timeout.

The authentication-attributes in the web.config file look as follows:

<authentication mode="Forms" >
  <forms loginUrl="~/UserMgmt/Login.aspx" timeout="400000" slidingExpiration="true" name="NameOfTheSite"/>
</authentication>

Also have I set the cookie name for the forms authetication to different names.

Is there something else that I have to add, so that the remember-me feature works?

Update
I have observed that if I disable encryption and validation for the forms authentication-cookie, the problem is gone. If I either activate encryption, validation or both, the problem occurs newly.
I know also, that it's independent of the session-cookie names (they even could be identical). Maybe this information helps someone to figure out what's going on?

Update 1
Thanks to Jason Kealey for the solution to this problem. I would never had found it. In the meantime I've found the corresponding information in msdn. In How To: Configure MachineKey in ASP.NET 2.0 in the section "Web Farm Deployment Considerations" is written:

If you want to isolate your application from other applications on the same server, place the <machineKey> in the Web.config file for each application on each server in the farm. Ensure that you use separate key values for each application, but duplicate each application's keys across all servers in the farm.

Improve this question
4
  • That is about what I have. Did you delete the existing cookies? Commented Jan 21, 2011 at 14:50
  • @Remy: No, has not worked, but anyway it was a good idea! Commented Jan 21, 2011 at 16:52
  • what happens if you change the timeout to something like 7 days (10080) instead of 277+ (400000) days? Commented Jan 27, 2011 at 15:17
  • @Mark Schultheiss: No, I have tried it and it had no effect. Commented Jan 27, 2011 at 18:31

3 Answers 3

Reset to default
9
+50

The issue may be that you have validation keys that are automatically generated every time you launch the worker process. The cookie is encrypted, but when you come back a new server-side key is used and thus your cookie cannot be decrypted.

Check out the machineKey section http://msdn.microsoft.com/en-us/library/ff649308.aspx

Here is something that will generate the machineKey section for you http://www.qualitydata.com/products/aspnet-membership/help/configuration/no-machinekey.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I must admit that I don't understand what your answer means (because my knowledge about asp.net is only little). What is the worker process and why is it relaunched. Is this the process IIS hosts the web? If yes, why this problem occurs only when I have two membership providers. If I only have one, all runs fine. Also if I read the linked documents, they all are saying that I should configure the machine key section if my app runs in a web-farm or if I want to share the login between apps. But I want none of the both, explicitely not sharing the login between the apps.
Given the fact that disabling validation makes everything work, I believe that every time the application pool (IIS worker process) is reset, it is generating a new key that it uses to validate the user's cookie when they return to your site. It can reset due to inactivity or due to a number of reasons. (And the new key can't decrypt the content from the previous visit, as it is not the same as the initial one). Try adding something generated with the above tool and let us know if it works.
I believe this the most likely solution given the facts.
+1, accept and bounty! Now having read the right docs, all seems to be clear, but without the right link, I would not have found the solution. Thanks.
2

Try set the domain name to be sure that the cookie of the remember is set correctly in all cases

<forms  path="/" domain="nameof.com" ...the rest
Improve this answer

2 Comments

+1 No luck also with this, but specifiying the domain and especialy setting the path was a meaingfull try.
@HCL check also the anonymous cookie settings.
0

The cookie timeout is also limited by IIS and defaults to something low like 20 min. To change this:

  1. Open IIS Manager.
  2. Right click your site and select properties.
  3. Select the ASP.NET tab and click Edit Configuration.
  4. Select the Authentication tab.
  5. Select Enable sliding expiration.
  6. Set the Cookie timeout to a longer value. To set to 30 days, enter 30.00:00:00.
  7. Click OK and exit IIS manager.

enter image description here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.