Firefox is prematurely deleting asp.net session cookies before their expiration time.
I create an Asp.Net Session Coookie using Microsoft's owin Identity 2.0 on my website, and it has an expiration of 7 days. This works perfectly for IE, Chrome, and Safari.
However Firefox seemingly randomly deletes this cookie before the expiration date/time. My test pattern is like this: Sign in to my website. The cookie is there and I'm authenticated. Close Firefox, and re-open, then re-navigate to my website. I'm automatically signed in, just like I should be. Now Close Firefox and wait between 30mins - 24hours.
Now I Re-open Firefox, navigate to my website, and then one of two things happens. Generally, I'm signed out and have to re-sign in (the cookie is gone). However about 30% of time, I'll be logged in automatically. If I close firefox and re-open immediately, I'll be signed out. This time period varies by as much as 24 hours, and this happens across multiple (20+) Windows 7 computers.
Sometimes I'm signed back in and everything works fine, but this is rare, and usually less than an hour.
I'm using version 37 and 38 for testing (most testing has been done on: 38.0.5 Build ID 20150525141253).
I have Firefox set to Accept Cookies, not to delete cookies on close. I've tried adding my domain to the "allow" exceptions list. I've scoured forums and stack-overflow with no luck. I'm stumped and my client is unhappy. Any thoughts?
Keazen oplossing
It turns out that Firefox was the only browser behaving correctly. I finally traced the bug to an error in how MS Identity 2.0 was handling the "remember me" cookie. The cookie was getting overwritten on successful login, but only after the session had expired on IIS.
The bug is supposed to be fixed in MS Identity 2.2.1 alpha. as per:
https://aspnetidentity.codeplex.com/workitem/2319
Dit antwurd yn kontekst lêze 👍 0Alle antwurden (4)
It simply means that the runtime of the application has expired. See: http://blogs.msdn.com/b/david.wang/ar.../why-do-i-lose-asp-session-state-on-iis6.aspx
When you are starting Firefox, before going to the site, could you check whether the session cookie is still set? There are many ways to access the Cookies dialog, including:
- Paste chrome://browser/content/preferences/cookies.xul into the address bar and press Enter (I suggest bookmarking this if you plan to use it often)
- Options > Privacy > [Firefox will: Use custom settings for history] > "Show Cookies" button
- Type or paste about:permissions in the address bar and press Enter
Each of those has a search box to filter the list so you can get to your site quickly.
guigs2 said
It simply means that the runtime of the application has expired. See: http://blogs.msdn.com/b/david.wang/ar.../why-do-i-lose-asp-session-state-on-iis6.aspx
Thanks for your response guigs2. This doesn't seem to be the issue. I've just forced the app-pool to recycle, and even restarted IIS. My session was maintained across both events in all browsers. (I used a fresh login on Firefox to ensure I'd not run into any time-out issues).
For what it's worth, I'm using IIS8.
Thanks for your suggestion!
Keazen oplossing
It turns out that Firefox was the only browser behaving correctly. I finally traced the bug to an error in how MS Identity 2.0 was handling the "remember me" cookie. The cookie was getting overwritten on successful login, but only after the session had expired on IIS.
The bug is supposed to be fixed in MS Identity 2.2.1 alpha. as per: