I was in the process of deploying my product for UAT on a shared hosting server (Arvixe). I’m using Forms Authentication in my ASP.Net MVC app. While testing I realized a critical error which caused me a lot of pain and sleepless nights. Hence, I thought to write about it at this time (its 5:40 am here and I’m yet to hit the bed) so that others can save their time.
What was the problem
During testing I was manually opening few popups and closing them without any other interaction, even though I was actively using the app, it was still redirecting me to Login page after few seconds to few minutes (I did time the occurrence while investigating the issue) which is normal in case of timeout. But, I had setup the forms authentication timeout as 2880 minutes and also as per MSDN documentation sliding expiration is enabled by default. So, there was no reason for my app to behave this way. On my developer machine the app was working as expected.
Why the timeout
After trying out everything error logging in the controller methods to redeploying whole app again I could not figure out what was happening.
I noticed 1 pattern (using Chrome developer tool) in the failure, whichever method call redirected me to login page it failed with “Invalid JSON response”.
Then it struck me to check the IIS logs. I went ahead and replicated the issue again and checked the IIS logs. There I found out that all the successful calls had Forms Authentication user name (user name with which I had logged in) and unsuccessful calls had -. That got me thinking that probably my Forms Authentication ticket was not being recognized every time i.e. not being decrypted successfully every time. Now this could happen for multiple reasons either my request was being handled by multiple machines (web farm scenario) or due to heavy usage (remember I have hosted the app on shared hosting) the worker process was recycled. In either case my authentication ticket was not recognized and my app was failing
How to solve the problem
As you would know, Forms Authentication uses machine key to encrypt/decrypt Forms Authentication cookie. Also, generally hosting providers keep their machine key in their machine.config to AutoGenerate which means on each worker process recycle or a new machine, key was changed and my Forms Authentication ticket was lost. That means I had to provide a fixed machine key with my application for encryption/decryption of the Forms Authentication ticket.
I went to this site and generated a machine key for ASP.Net 2.0 and pasted the whole tag within my <System.Web> tag in my Web.config and lo behold my problem was solved. Till now I have not faced the same issue again.
P.S. For any errata/suggestions/comments/questions please use the comments section below