ASP.NET Forms Authentication Cookie

Question

We try to implement ASP.Net Forms Authentication.

Everything works in our Development environment/server. But when we released to Production, we noticed that the cookies don't work properly in FireFox and Chrome. IE11 and Safari (Mac OSX) do work.

When I view the 'Cookies set by this page' (Chrome), I can see the cookie (both in Development as well as Production environment)

But when I check the development tools (Chrome) there is no Cookie on when I test on Production, but there is a Cookie when I test on Development.

When I do a request to check 'Context.User.Identity.IsAuthenticated', the Production environment returns false, while the development environment returns true.

The code is identical on the 2 servers:

protected void Page_Load(object sender, EventArgs e)
    {
        this.StatusLabel.Text = "Authorized : " + Context.User.Identity.IsAuthenticated.ToString();
    }

    protected void SetCookieButton_Click(object sender, EventArgs e)
    {
        FormsAuthentication.SetAuthCookie("TESTER", true);
    }

    protected void DeleteCookieButton_Click(object sender, EventArgs e)
    {
        FormsAuthentication.SignOut();
    }

    protected void AuthorizedRequiredButton_Click(object sender, EventArgs e)
    {
        if (Context.User.Identity.IsAuthenticated)
            this.StatusLabel.Text = "SUCCESS!!" + User.Identity.Name;
        else
            this.StatusLabel.Text = "NOT AUTHORIZED!";
    }

    protected void AuthorizedNotRequiredButton_Click(object sender, EventArgs e)
    {
        this.StatusLabel.Text = "SUCCESS!!";
    }

And so is the Web.config

<authentication mode="Forms">
      <forms name="TestingSession" cookieless="UseCookies" protection="All" timeout="30" ></forms>
    </authentication>

Why is this not working in Chrome and FireFox in my Production environment, when it does work in IE11 and Safari (on Mac OSX).

And why does it work in all the browsers I tested with in my Development environment? Is it an IIS setting? Server issue? Or am I missing something else.

I hope someone can help me out.

EDIT: 03-03-2014

After some more testing I noticed the Response Header Date is wrong.

It is always: Tue, 21 Oct 2014 18:04:35 GMT

The date does not change when the page is called again or in another browser.

This means the Cookie is already expired when it is returned to the browser?

I already checked IIS7 for custom headers, but found none.

We also reset the Http Service on the server but still no luck.

Answer 1

For anybody landing on this page:

@Mithrodin's answer does resolve the issue but this issue can occur in future if at all there's change in DateTime on application server ever. This could be intentional or because of Daylight Saving Time effect.

This issue is specific when one use below method to set permanent cookie:

FormsAuthentication.SetAuthCookie("TESTER", true);

Solution to avoid this issue in future is pass false as second argument in above method. As cookie won't be permanent, please set appropriate timeout in FormsAuthentication tag in web.config to make it work.

Answer 2

We solved the issue by restarting the server.

After some more research we found that the Response Header Date was the same date as a previous issue we had.

A few months ago we added some more RAM to the server. After that, the server date was set in the future (21 oct. 2014). We noticed that issue very fast and set the date back to to actual date.

We never preformed a restart of the server at that point. It seems that the Date returned in the Response Headers did require a restart.

Steps we took to resolve this issue.

• Make sure the Server date is the actual date.
• Reset the HTTP Service on the Server.
• Restart the Server.

I hope this helps others with the same issue.