find a location for property in a new city

Wednesday, 6 October 2010

ASP.NET Authentication cookie not persisting across servers and subdomains

Recently some internal users have started complaining about being sporadically logged out and having to log in again when accessing a different server or different sub domain. It seems like the ASP.NET security cookie is not being persisted between live production servers and development servers.

I noticed a pattern to the seemingly spurious logging out and having to log in again:

  • Log in on live or if you are already logged in. Fine.
  • Log in on your development machine. (Oh that's weird, I thought I was logged in... but okay maybe I wasn't). Fine.
  • Refresh your page on the live site and I need to login again.

Why won't my cookie persist?! Why am I being logged out?

This has started happening since the recent ASP.NET security fix was put on our servers. Apparently it is something to do with changing the necessary authentication cookie. I guess in case you were already exploited before the security fix went out. Anyway, if you are swapping between non-patched development servers and patched production servers you're cookie will NOT persist and you will be asked to log in again if authentication or authorization is demanded by your page.

So either:
  1. Install the patch on all servers as per the ASP.NET team's advice
  2. OR be content with the fact that your customers won't have the problem. (Unless you have both patched and non-patched servers in your web farm)

Follow britishdev on Twitter