IIS 10 not setting Asp.Net cookie for session state - asp.net

I have migrated a website from IIS 7 on MS Server 2008 to IIS 10 on MS Server 2019 and I am unable to set the session state cookie.
I've configured the Session State feature in IIS at the app pool level and at the site level to use InProc for session state, with a named cookie. I've also tried to add this configuration into the web.config file directly.
This is the section of the web.config I have set:
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Account/Login" name=".MYSITEAUTH" protection="All" slidingExpiration="true" />
</authentication>
A cookie is being set on the client, but not with the .MYSITEAUTH property of the user.
This is the config of IIS for the site's Session State:
My hypothesis is that this is a configuration issue due to the same code and database not working on two different machines with the same web.config..?
Does anyone have any good steps to follow to enable asp.net session cookies on the client or any gotchas for setting this up in IIS 10 with Server 2019? No idea why this could be any different to the existing configuration but it is certainly something to do with IIS pushing out cookies.
Thanks!

Related

SharePoint or IIS in general passing Windows Authentication to IFrame calling another site on the same server and domain

I have a SharePoint site that is running Windows Authentication (NTLM).
We have a web part that has an IFrame in it that points to another web page that also uses Windows Authentication (NTLM).
Both SharePoint and the WebApplication are located on the same machine on IIS running under the same app pool on the same domain using the same SSL cert and the same machine key.
Example
We have SP1.test.com (SharePoint Site) and NET1.test.com (.net web application)
Both running Windows Authentication only (all other auths have been disabled) with NTLM as the provider.
They both have the same Machine Key.
Here is the web.config
<authentication mode="Windows">
<forms name=".TESTAUTH" cookieless="AutoDetect" slidingExpiration="true" protection="All" timeout="600" enableCrossAppRedirects="true" domain="*.test.com" />
</authentication>
<machineKey validationKey="1234" decryptionKey="1234" validation="SHA1" decryption="AES" />
How do we get this to work without the site requiring double authentication?
NOTE
Both of these sites are accessed internally and externally.

Don't want to share session

I have two ASP.net MVC applications say a.xyz.com/Customer and a.xyz.com/CustomerTest.
I have implemented cookie-based FormsAuthentication. Name of Auth cookie (AUTH and AUTHTEST) is different in both the Applications. Problem is that when I browse the applications in same browser, Session Cookies are available in both the apps. Also when I Abandon session in one application, second application's session abandons as well.
Both applications are running under same app pool. I cannot change the app Pool as they are having rewrite rules also which will not be available if I change the app pool.
I don't want to share the session between these two applications.
Please let me know if it is possible and How?
It is done.
I have changed the session cookie name of both the Applications in sessionState.
<sessionState mode="InProc" cookieless="false" timeout="60" cookieName="PRODSession" />
<sessionState mode="InProc" cookieless="false" timeout="60" cookieName="TestSession" />

Force timeout settings in web.config

I'm using forms authentication in my ASP.NET MVC 4 application. I have configured the timeout settings as below in my web.config.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Since I'm using a shared hosting environment, I can not change the IIS settings for timeout.
Currently it seems that this timeout is not working and it occurs after 15-20 mins of idle time.
are there any settings to force the timeout to take the value in web.config?
Explicitly adding the machine key to the web.config solved the issue.
http://aspnetresources.com/tools/machineKey

Strange behavior of log on after restart application pool

I am building a simple asp.net mvc3 application using Form authentication. After publishing it to IIS 7.5, I find that even after I restart the application pool for my web site(stop it and then start). A logined user doesn't need to re-login. That's not what I expect and I don't remember I had configured the cookie to be persistent.
I use the simple asp.net mvc3 web application template and haven't done much thing to config authentication. Below is some codes related to authentication:
in web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
in LogOn action:
FormsAuthentication.SetAuthCookie(userName, false);
I think I have got your answer, cookie is set at client side and resetting server IIS will not destroy the cookie as it is not available on server. You can set cookie expiration time and it will get destroy at client side.I hope this clears the situation.

ASP.NET Membership - Can I allow anonymous access and still use automated login using Active Directory?

I hope this is not to paradoxal, but I don't know how this should be done...
I have a VS2008 ASP.NET MVC Project with the following Web.Config entry:
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
This makes the visitor logon automatically with their DOMAIN\username login which they used to logon to Windows. (Right?)
This works with my development server (http://localhost:xxxx), but not with my IIS server (http://localhost). Probably because the development server is 'started' by my local user (which has ActiveDirectory read-rights on the domain) and because IIS is 'started' by the IUSR_WORKSTATION user which does not. (Right?)
If all of the above is true, how can I impersonate the IIS user (for instance to my own username) to solely authenticate the current user with the Windows login name? (like the example below)?
Or should the IUSR_WORKSTATION user be granted ActiveDirectory? read-rights (not preferred as I will be switching servers / IUSR_ users a lot)
<identity impersonate="true" userName="DOMAIN\myuser" password="mypass"/>
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<identity impersonate="false"/>
Windows authentication is poorly named (IMO). It's not using Windows as the authentication, but rather it delegates the authentication process to IIS. So you need to configure IIS's authentication, which then flows down to ASP.NET
How you do this depends on your version of IIS, in IIS7 expand out the tree and click your web site, then click Authentication and enable Windows Authentication

Resources