"Remember me" not working

[JornWildt]

Clicking "Remember me" in the admin login page doesn't work on my production site (but is working on the dev system). So I was wondering if you could supply some hints as to why it wouldn't work? Maybe just a quick explanation of the cookies involved, such that I can debug it myself :-)

By "not working" I mean, it simply doesn't remember my login. When I get back th day after, I am logged out of the admin pages.

[JornWildt]

Even worse is that this website has such a short timeout that I cannot even complete a complex text before I'm logged out - and then I loose all the stuff I entered when I click "Save" as the page editor simply redirects to the login page again.

One could wish for a better auth-handling when editing in the admin interface: notify the use about the issue, let them copy the text and then redirect to the login (through a click on a new "LOGIN AGAIN" button).
- Pinging the webserver in the background would work too, making sure it never logs out the user when actually editing something.

[HeyJoel]

Mostly we're using the ASP.NET Core auth framework here, you can see the configuration in DefaultAuthConfiguration, and the login action in UserSessionService.

The timings/expiry uses the defaults, and if I test in one my sites i can see the expiry date on the cookie is set correctly. Some questions/things to look into:

1. How long does it take to expire? Does it coincide with an application reset?
2. Are you running a web farm? See web-farm deployment .NET docs for more info, particularly with reference to the data protection setup
3. Check your auth cookie to see if the expiry dates are set correctly, it will start with "CFA_"
4. Try another browser to make sure it's not something new the browser vendor implemented, and check for any privacy plugins that might be removing cookies.

[JornWildt]

My best guess is that it is an issue with web-farms. I'll focus on that.

[JornWildt]

Found the solution here: https://stackoverflow.com/questions/46318461/asp-net-core-remember-me-persistent-cookie-not-works-after-deploy - using PersistKeysToFileSystem ensures all instances of the application gets the same key file.

Next thing is that the key has an expiry date:

<expirationDate>2021-07-10T14:46:11.4134416Z</expirationDate>

And I don't know what happen when it hits that date. Hopefully .NET will issue a new key all by itself.

The complet configure services code is then:

  public class Startup
  {
    public IWebHostEnvironment WebHostEnvironment { get; set; }
    public IConfiguration Configuration { get; }


    public Startup(IWebHostEnvironment env, IConfiguration configuration)
    {
      WebHostEnvironment = env;
      Configuration = configuration;
    }

    
    public void ConfigureServices(IServiceCollection services)
    {
      services
          .AddDataProtection()
          .PersistKeysToFileSystem(new DirectoryInfo($@"{WebHostEnvironment.ContentRootPath}\Keys"))
          .SetApplicationName("Bogevang");

      services
          .AddControllersWithViews()
          .AddCofoundry(Configuration);
    }

[JornWildt]

Maybe that part is worth mentioning the Cofoundry example code for other users (even though it is a .NET core issue only).

[HeyJoel]

Thanks for taking the time to post the soution. I've extracted the in-context re-login enhancement to #424 and I'll leave this open as a reminder to update the deployment docs.

[HeyJoel]

Docs updated, will be released alongside v0.10