MVC's ActionExecutingContext HttpContext.User.Identity.IsAuthenticated Returns False When Signing in on Multiple Browser Tabs

Question

During a custom ActionFilterAttribute's OnActionExecuting method, we ensure that the user is still logged in before performing some actions. We do this by doing something similar to this pseudo code:

public override void OnActionExecuting( ActionExecutingContext filterContext )
{
    if ( filterContext.HttpContext.User.Identity.IsAuthenticated )
    {
        // Do something...
    }
}

I have multiple sites for multiple clients that run under the same domain with only difference being the virtual directory names. Each virtual directory actually points to same folder/code base and the URL/virdir name indicate to code which 'client configuration file' to use from a nested /Clients directory. Not sure if that much detail in site/code/IIS config is needed, but supplying in case any of that is culprit for problem.

If I try to sign on to multiple sites using multiple instances of a browser, everything works fine. The IsAuthenticated check returns true when I attempt to navigate around the site.

However, if I try to sign on to multiple sites using a single browser with multiple tabs, I keep getting logged out back and forth. If I sign in to site A, I can navigate around, but as soon as I sign into site B, if I try to navigate anywhere in site A, IsAuthenticated returns false.

Is this expected behavior? Is there a workaround to this?

UPDATE: I'm now only able to reproduce this behavior in IE. In Firefox and Chrome, I get booted to login screen whether I'm on same browser/multi tabs or multi browsers. Is there a difference in the way IE handles cookies? Or aren't cookies the culprit?

Answer 1

Without knowing your setup in any more detail, this is what I expect is happening.

Assumptions:

1. You state that you have multiple virtual directories pointing to one code base.
2. Each of these virtual directories are most likely set as an application is IIS.
3. You do not have a machine key defined in your web.config and as a result, each virtual directory auto-generated its own encryption/decryption keys

What is probably happening:

1. When you sign in from different browsers, each browser is given an authentication cookie. Since you are using different browsers, there is no issue.
2. When using the same browser, you login to site A and are given an encrypted cookie that was encrypted with the siteA autogenerated key.
3. When you attempt to go to another virtual directory that has a different autogenerated machine key, the site cannot read the authentication ticket (cannot decrypt it) and thus returns logged-in = false.
4. Once you login to siteB, the authentication cookie is replaced with an authentication ticket from siteB. At this point, siteA can no longer decrypt the authentication ticket and returns logged-in =false.

Try setting the machine key configuration section of your web.config with the appropriate options (MSDN on machineKey element). Here is some more information on the forms authentication ticket and process as well