I have an MVC 5 app, developed under .NET 4.6 and MVC 5.2.3 that works 100% when I debug it in Chrome and Edge on my machine. When I deploy to shared hosting at my ISP, it gives the following error on every request after the very first one, which succeeds and shows the login page.
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
Then if I clear a cookie called .AspNet.ApplicationCookie from Chrome, then the next request succeeds, but the cookie is back and all subsequent requests fail in the same manner.
I am not using application state in any of my own code, and the only packages I have added to those that come with the standard VS2015 project template are:
AutoMapper elmah.corelibrary Elmah.Mvc Unity Unity.Mvc5 If I've done this correctly, when I check for cookies in Edge, there no such cookie, only the __RequestVerificationToken, which plays no role (outside the scope of this question) in Chrome.
NOTE: I have now changed hosting providers, and instead of get a 403 on nearly every request since after the first since app startup, I now get redirected to my login page about every 1 to 2 minutes. It looks like one provider is handling my lack of auth better, but have a strong suspicion that both problems are due to loss of session. This is probably due to limited resources on shared hosting, so I've tried moving to storing session on SQL Server but it makes no difference, and Elamh shows no errors, so I don't know if my session move worked.
1 Answers
Answers 1
I think you are using the new dotnet core Cookie middleware. This middleware encrypts your session data inside the cookie value.
The problem is that the encryption/decryption is done based on a key which is unique per application-host (based on machine key). So if your request lands on a different instance than where your session cookie was encrypted, it is unable to decrypt your cookie, and thus thinks you are not authenticated!
You can change this behavior by implementing a different backing store (like redis or sql server).
Read the documentation on how to do this: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie
0 comments:
Post a Comment