Random Authentication Sign Outs in ASP.NET Core 2.1

[ben-foster-rightio]

I'm receiving user complaints saying they are being directed to the login screen randomly when it has only been a minute or so since they clicked a button that would have sent a message to the server side.

Here is a log of one of the errors. [INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 1473.4897ms (afa2e885) [INF] Request finished in 1474.816ms 200 application/json; charset=utf-8 (791a596a) [INF] Request starting HTTP/1.1 GET http://MyAppmanager.MyApp.co.uk/api/AgreementAPI/GetAgreements?searchTerm=1543309403289 (ca22a1cb) [INF] Entity Framework Core "2.1.3-rtm-32065" initialized '"IdentityDbContext"' using provider '"Microsoft.EntityFrameworkCore.SqlServer"' with options: "None" (9958f5bb) [INF] Executed DbCommand ("1"ms) [Parameters=["@__get_Item_0='?' (DbType = Int32)"], CommandType='Text', CommandTimeout='30']" ""SELECT TOP(1) [e].[UserId], [e].[AcquisitionTeamId], [e].[AreaNumber], [e].[AuthorisationPassword], [e].[AutoBooking], [e].[AutoUpdateSoftware], [e].[AvayaFullName], [e].[AvayaName], [e].[AvaysExt], [e].[CanSellAgreement], [e].[ChangePassword], [e].[CompanyId], [e].[DateEnded], [e].[DateStarted], [e].[DebugLogs], [e].[DefaultQuotes], [e].[DepartmentId], [e].[EmailAddress], [e].[Forename], [e].[HomeServeEmployee], [e].[Initials], [e].[IsPurchaseOrderReviewer], [e].[JobTitle], [e].[LogonName], [e].[MaxLogins], [e].[Message], [e].[Name], [e].[Notes], [e].[PartTime], [e].[Password], [e].[ReportDDI], [e].[RoleId], [e].[Shift], [e].[ShowEngineerAlert], [e].[Surname], [e].[TerminationId], [e].[TrackFastVersion], [e].[UnreadMessage], [e].[VisibleOnChronicle] FROM [Users] AS [e] WHERE [e].[UserId] = @__get_Item_0" (0723d8ff) [INF] AuthenticationScheme: "Identity.Application" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.External" signed out. (d3f50c8d) [INF] AuthenticationScheme: "Identity.TwoFactorUserId" signed out. (d3f50c8d) **[INF] "Identity.Application" was not authenticated. Failure message: "No principal." (48071232)** [INF] Route matched with "{action = \"GetAgreements\", controller = \"AgreementAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" (a44c0341) [INF] Authorization failed. (b15dd539) [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'. (8b6446cb) [INF] Executing ChallengeResult with authentication schemes ([]). (f3dca807) [INF] AuthenticationScheme: "Identity.Application" was challenged. (d45f1f38) [INF] Executed action "MyAppManager.Controllers.API.AgreementAPIController.GetAgreements (MyAppManager)" in 0.3846ms (afa2e885) [INF] Request finished in 9.3835ms 401 (791a596a) [INF] Request starting HTTP/1.1 POST http://MyAppmanager.MyApp.co.uk/API/CustomerAPI/WriteToLog/ application/x-www-form-urlencoded; charset=UTF-8 61 (ca22a1cb) [INF] Route matched with "{action = \"WriteToLog\", controller = \"CustomerAPI\", page = \"\", area = \"\"}". Executing action "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" (a44c0341) [INF] Executing action method "MyAppManager.Controllers.API.CustomerAPIController.WriteToLog (MyAppManager)" with arguments (["ERROR: WebAPI call is not authenticated", "error"]) - Validation state: Valid (4e3479ed) [ERR] Client log: ERROR: WebAPI call is not authenticated (d4244074)

Startup File public void ConfigureServices(IServiceCollection services) { services.AddScoped<IRFDbRepository, RFDbRepository>(); var connection = _configuration.GetConnectionString("RFDbConnection"); services.Configure<ConnectionStrings>(_configuration.GetSection("ConnectionStrings")); services.AddDbContext<RFDbContext>(options => options.UseSqlServer(connection)); services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection)); services.AddAutoMapper(); services.AddIdentity<User, UserRole>().AddDefaultTokenProviders(); services.AddTransient<IUserStore<User>, UserStore>(); services.AddTransient<IRoleStore<UserRole>, RoleStore>(); services.ConfigureApplicationCookie(options => { options.LoginPath = "/Identity/Account/Login"; options.LogoutPath = "/Identity/Account/Logout"; options.ExpireTimeSpan = TimeSpan.FromMinutes(60); options.SlidingExpiration = true; }); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1).AddRazorPagesOptions(options => { options.AllowAreas = true; options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout"); }); }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IRFDbRepository rFDbRepository) { loggerFactory.AddFile(_configuration.GetValue<string>("Logging:LogFile")); app.UseStaticFiles(); app.UseAuthentication(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapRoute( name: "ActionApi", template: "api/{controller}/{action}/{id?}"); }); rFDbRepository.TestConnection(); }

Also I've setup the app pool as below:

[ben-foster-rightio]

I do have a custom implementation of the UserStore and RoleStore, but I don't know where to begin in debugging this.

[ben-foster-rightio]

I've finally worked out what this is. It's to do with cookie validation checking being run every 30 mins by default. It's a fault in asp.net core 2.1 and should be fixed in 2.2. See this thread for further details. https://stackoverflow.com/questions/53450844/session-logged-out-too-soon

[blowdart]

The interval at which is runs is configurable. Is your problem that when it checks it will always lock you out? If that is the case are you implementing a security stamp?

You remove the validator altogether by removing the event in the cookie options.

[blowdart]

We're closing this issue as the behaviour discussed seems to be by design.