0

I'm experiencing a strange issue. I have two websites, one is a clone of the other. On website #1 (the original), logins are persistent and users aren't logged out until they choose to logout themselves.

Both websites are running ASP.NET Core 2.2

Website #1 login code:

[HttpPost("login")]
public async Task<IActionResult> Login(LoginVM model)
{
    if (ModelState.IsValid)
    {
        var signInAttempt = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
        if (signInAttempt.Succeeded)
        {
            if (!string.IsNullOrEmpty(model.ReturnUrl))
            {
                return Redirect(model.ReturnUrl);
            }
            return RedirectToAction("Home");
        }

        if (signInAttempt.IsLockedOut)
        {
            ModelState.AddModelError("", _stringLocalizer["User is locked out"]);
        }
        else
        {
            ModelState.AddModelError("", _stringLocalizer["Email and password do not match"]);
        }
    }
    return View(model);
}

On website #2 (the clone), the logins aren't persistent and users are logged out after some time - I'm not sure after how long.

Website #2 login code:

[HttpPost("login")]
public async Task<IActionResult> Login(LoginVM model)
{
    if (ModelState.IsValid)
    {
        var signInAttempt = await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, false);
        if (signInAttempt.Succeeded)
        {
            if (!string.IsNullOrEmpty(model.ReturnUrl))
            {
                return Redirect(model.ReturnUrl);
            }
            return RedirectToAction("Home");
        }

        if (signInAttempt.IsLockedOut)
        {
            ModelState.AddModelError("", _stringLocalizer["User is locked out"]);
        }
        else
        {
            ModelState.AddModelError("", _stringLocalizer["Email and password do not match"]);
        }
    }
    return View(model);
}

So, as you can see from above, both codes are exactly the same - both are set to true in persistence. In the websites Startup file, they're also identical:

Website #1 Startup.cs:

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
    // Configure identity options here.
    options.Password.RequireDigit = false;
    options.Password.RequiredLength = 4;
    options.Password.RequireLowercase = false;
    options.Password.RequireNonAlphanumeric = false;
    options.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<ApplicationDbContext>();

services.ConfigureApplicationCookie(options =>
{
    options.AccessDeniedPath = "/login";
    options.LoginPath = "/login";
    options.LogoutPath = "/logout";
});

Website #2 Startup.cs:

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
    // Configure identity options here.
    options.Password.RequireDigit = false;
    options.Password.RequiredLength = 4;
    options.Password.RequireLowercase = false;
    options.Password.RequireNonAlphanumeric = false;
    options.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<ApplicationDbContext>();

services.ConfigureApplicationCookie(options =>
{
    options.AccessDeniedPath = "/login";
    options.LoginPath = "/login";
    options.LogoutPath = "/logout";
});

So, my question is: How do I achieve persistent logins on website #2?

UPDATE: Users are also logged out when application pool is recycled - this also doesn't happen in website #1.

Mikkel
  • 1,853
  • 1
  • 15
  • 31
  • So.... what is your question.... what is the problem ? – D A Jul 30 '20 at 08:22
  • So, my question is: How do I achieve persistent logins on website #2 when they by all means should work, since it's a direct clone of website #1 where logins ARE persistent. I've included this in my question now :) – Mikkel Jul 30 '20 at 08:59
  • First question is... if the sites are on the same domain? – D A Jul 30 '20 at 09:06
  • They're not on the same domain – Mikkel Jul 30 '20 at 09:07
  • So this is your first problem. https://stackoverflow.com/questions/12370495/share-a-cookie-between-two-websites No. Website B can't read a cookie from website A. – D A Jul 30 '20 at 09:09
  • They're two separate websites - they don't share data and each one has their own independent database and so they are not meant to share cookies. – Mikkel Jul 30 '20 at 09:10
  • Try to use options.SlidingExpiration = true; in ConfigureApplicationCookie. – D A Jul 30 '20 at 09:17
  • I'll try it and get back to you :) – Mikkel Jul 30 '20 at 09:26
  • Is there any difference in the startup.cs?According to this [similar thread](https://github.com/aspnet/Identity/issues/1389), perhaps this issue also related to the SecurityStampValidatorOptions.ValidationInterval Property, you could try to set this property. Besides, you could also try to set the cookie's expired time. – Zhi Lv Jul 30 '20 at 13:07
  • @DA SlidingExpiration doesn't make a difference unfortunately. – Mikkel Aug 09 '20 at 09:33
  • @ZhiLv-MSFT - There isn't really any difference in Startup.cs except site #2 has a few more services injected, but nothing in relation to the users. I'll have a look at your link and see if it works. – Mikkel Aug 09 '20 at 09:33
  • Additionally, it seems users are logged out when the application pool is recycled - I would assume that this is related, because it doesn't happen on site #1 – Mikkel Aug 09 '20 at 09:39

0 Answers0