OWIN randomly stops after a few minutes, until AppPool is recycled

Dec 21, 2015 at 1:27 PM
I am under so much pressure to sort this it is making me ill, so I am begging for anyone with even the remotest of ideas to contribute.

I have the strangest problem with OWIN/Katana. The stack is:
  • OWIN/Katana (latest versions from NuGet)
  • Web forms (an old application we're porting) on ASP.NET 4.6.1
  • IIS (integrated mode) (with Load User Profile = TRUE) on Windows 2012
On local IIS/IISExpress it works perfectly. On the live server, it works for about 10 minutes, allowing users to log in and navigate the site, but then it randomly stops. At that point, NOBODY can log in and this behaviour happens for everyone. The .AspNet.ApplicationCookie cookie, although in the response, is also empty from then on.

Image

In Firebug I don't see any 401 errors, everything looks fine. The response data for accountpage.aspx (the first protected resource) even contains the HTML that we would expect the user to see, so at some point the protected page is delivered in the response. Interestingly though, no images or CSS/JS in accountpage.aspx are requested, although I don't know if that's because the redirect has already been respected.

Once this has happened once, then nobody is able to log in and this behaviour persists until the application pool is recycled. It then works again for about 10 minutes before failing again. As this is only in the live system I don't know what to do.

I can post code if need be, but its virtually identical to the sample project code apart from that our ClaimsIdentity sub-class has some strongly-typed claims.
Coordinator
Dec 21, 2015 at 1:30 PM
http://katanaproject.codeplex.com/wikipage?title=System.Web%20response%20cookie%20integration%20issues&referringTitle=Documentation outlines the only major known issue with cookies on IIS. Have you gone through those steps yet?
Marked as answer by EvilDr on 12/22/2015 at 4:49 AM
Dec 21, 2015 at 1:43 PM
Thanks for your prompt reply. When the user is signed in, we do it like this (shortened for brevity):
AppIdentity si = new AppIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.NameIdentifier, ClaimTypes.Role);
si.CustomerId = 123;
si.UserId = 345;
var ctx = HttpContext.Current.GetOwinContext();
var a = ctx.Authentication;
a.SignOut();
a.SignIn(si);
At no other point is a cookie issued (although elsewhere in the app, occasionally cookies/session are used). What I don't understand is why OWIN would work perfectly for everyone for about 10 minutes, then completely stop (for everyone). The page you link to seems to indicate that this issue only affects cookies in the response during the time of OWIN responding with cookies also.
Dec 22, 2015 at 11:47 AM
Tractcher, after a late night I tracked down the source of the problem.

It is caused when webforms creates a session value for the user, then redirects them, then reads that value back. At some point, the SignIn() method stops working for everyone, and issues empty identity cookies until the AppPool is recycled.

In my stupidity (major stress) however, I neglected to remember that for every session value created, a cookie is also created for the user. This therefore fits perfectly with the page you showed, and applying the SystemWebCookieManager solution has overcome the problem.

Whilst the workaround does work for us developers stuck with webforms, perhaps there is an issue in the Katana code base that stops it dead when a cookie interferes? I know Anders Able blogged about the "cookie monster" deleting cookies previously, but this appears to be different behaviour.

Anyway thank you for your time. I am going to finally get some sleep now. I hope you have a good festive season and all the best for the new year.