3

I've been searching for an answer to this for a while but the problem seems quite complex and I'm struggling to find an answer.

I'm a beginner software developer working for a start up company and have just completed the first version system for use by multiple users. Locally Testing the software had no problems, but since publishing the software to a windows 2012 server on iis I have found a major problem with the Login system.

When the program is uploaded initially multiple users can log in and use the program with no problems, however (seemingly) at random the login system completely stops functioning on all computers that are currently logged out. Those who are logged in can logout and log back in with their account or any other, but those who were logged out at this moment complete lose access to the system.

When using the developer tools on Chrome it appears that all these computers completely stop generating the cookie created when logging in and just redirect back to the login screen.

The systems still recognise incorrect logins and it happens with different computers each time I upload the program.

I appreciate that this is a very vague question, but I'm pulling my hair out over it!

As I said I am a beginner and am completely new to hosting on business servers and don't have much experience with Identity or Login systems in general so any help is much appreciated.

I mainly want to know is the problem most likely iis, if so where in iis should I be looking? Or the servers security settings?

Is there an efficient why to debug this while its running on the server?

If the problem sounds like a coding issue where identity files have been edited let me know what class it could be and Ill post the code.

Thanks!

Edit:

Global.asax.cs

public class Global : HttpApplication
{
    void Application_Start(object sender, EventArgs e)
    {
        // Code that runs on application startup
        WebApiConfig.Register(GlobalConfiguration.Configuration);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);

        //Creates roles and adds an admin on first start
        RoleCreator rc = new RoleCreator();
        rc.CreateRoles();
        rc.AddAdmin();
    }
}

Startup.Auth.cs

public partial class Startup {

    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(UnitContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieName="TrackerCookie",
            LoginPath = new PathString("/Login/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });
        // Use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
        app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

        // Enables the application to remember the second login verification factor such as phone or email.
        // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
        // This is similar to the RememberMe option when you log in.
        app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
    }
Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Verno
  • 428
  • 1
  • 5
  • 20
  • Are you using forms authentication? if so is there any code in global.asax which creates a cookie and writes it to the response? – Nilesh Jul 30 '15 at 10:17
  • Thanks for the response, yes I use forms authentication, the only code in global.asax other than the default is creating a default admin role and registering a custom api. nothing about creating a cookie and writing a response... The method that creates the cookie is held in Stratup.auth.cs – Verno Jul 30 '15 at 11:35
  • Did you try to debug and check what happens when a user returns to the application? What is this startup.auth.cs ? are you using Owin Startup? – Nilesh Jul 30 '15 at 11:56
  • Yes, its owin start-up, the login system is just a custom version of the asp identity system that is part of a new web forms application. It was actually another developer that set up this side of the system, that's why I'm struggling to get my head round it! – Verno Jul 30 '15 at 12:14
  • As I understand the Owin Startup is invoked only when the application is first accessed. I believe you need to move the auth cookie code out of startup and probably add it in Global.asax `Application_AuthenticateRequest` request. It would be good if you could paste the startup which creates the cookie. – Nilesh Jul 30 '15 at 12:25
  • Hi Nilesh, thanks, that makes sense, I have posted the code from Global.asax and startup for you to take a look – Verno Jul 30 '15 at 13:25
  • Ok my bad. this is the standard code used for authentication with OWIN. Can you check the request using fiddler and see if the cookie is been written to the client or not? – Nilesh Jul 31 '15 at 07:33
  • Hey Nilesh, I found this this morning - [link](http://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser?answertab=active#tab-top). I'm just testing it now. If I have no luck with the suggestions Ill check the request with fiddler. Thanks! – Verno Jul 31 '15 at 08:33
  • Cool let me know how it goes. – Nilesh Jul 31 '15 at 08:37
  • Hey again Nilesh, My issue is sorted, turns out it is a problem with ASP destroying cookies that was never solved. The issue is called "katana bug #197" There's a Nugent package called 'kentor.OwinCookieSaver' that is a workaround and only needs one line of code before configuring the sign-in cookie to correct the issue. Ill update my question with the solution. Thanks very much for you help! Appreciate it!!! – Verno Jul 31 '15 at 11:45

1 Answers1

4

Problem is now Solved.

For anyone with the same problem, the issue is caused by a bug called 'katana bug #197'.

The easiest fix is to download 'kentor.OwinCookieSaver' NuGet Package. and add app.UseKentorOwinCookieSaver(); above your Application cookie config in startup.

https://github.com/KentorIT/owin-cookie-saver

 // kentor.OwinCookieSaver for 'katana bug #197' (login cookies being destroyed on logout!)
            app.UseKentorOwinCookieSaver();
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                CookieName="LoginCookie",
                LoginPath = new PathString("/Login/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });

Microsoft are aware of the issue and it will be resolved in 2015.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Verno
  • 428
  • 1
  • 5
  • 20
  • Instead of updating the question, you should have posted your own answer here instead of this comment. I have now moved your "answer" here and rolled back the edit to your question. – Mark Rotteveel Jul 31 '15 at 13:01