OWIN rejects authentication cookie the next day

Question

I have an ASP.NET MVC5 application with the generated startup configuration for using OWIN.

The user logs in to my application, keeps the browser opened but if he tries to access it the next day, the application redirects the user to the login page.

I cannot reproduce this problem on my developer machine, it only occurs on my current shared hosting provider. Actually it worked correctly on my previous provider.

The application pool gets restarted once in a while, but according to my experience, if I do a recycle manually, it does not cause the tokens to be invalidated (which should be the expected behavior as far as I know).

I tried setting sliding expiration explicitly and increasing the cookie validity, but it had no effect:

// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
     AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
     ExpireTimeSpan = TimeSpan.FromDays(365*20),
     SlidingExpiration = true,
     LoginPath = new PathString("/Account/Login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

I am using .NET Framework 4.5. I tried to update all of my NuGet packages to the latest, but it did not solve the issue.

I checked and the expiration time of the cookies sent and they are correct, that should not be the problem. It happens in various browsers.

Answer 1

It's because the cookie is protected with the <machineKey> from ASP.NET. It sounds like your provider is doing something to trigger a app domain recycle or you're on a web farm so the machine key is not consistent. Try setting a <machineKey> in your web.config.