Why isn’t .ASPAUX cookie being validated by FormsAuthentication?

Posted on

Problem :

I have a site that uses FormsAuthentication and yes, the name of the cookie is .ASPAUX 🙂

I can log in perfectly. The server creates a forms authentication ticket, packs it in a cookie, properly determines the expiration time (1 year ahead) and sends it to the client.

For some reason, after some time, even though the cookie is there yet (I can see it with FireCookies) HttpContext.Current.Request.IsAuthenticated becomes false at the server. It’s as if the cookie couldn’t be validated.

The problem is: Why would that happen? How can I debug why the cookie suddenly becomes invalid without expiring?


Here’s the login method:

public static bool Login(int id)
                string securityToken = UserHelper.AuthenticateUser(id);

                DateTime expiryDate = DateTime.Now.AddYears(1);
                FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                     1, id.ToString(), DateTime.Now, expiryDate, true,
                     securityToken, FormsAuthentication.FormsCookiePath);

                string encryptedTicket = FormsAuthentication.Encrypt(ticket);
                HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
                cookie.Expires = expiryDate;


                return true;
                return false;

And the web.config:

<authentication mode="Forms">
            <forms loginUrl="~/Login.aspx" timeout="2880" slidingExpiration="true"/>

Solution :

Set static machine keys in your web.config to make sure that the encryption key used in generating your ticket survives an application pool being recycled (or your website being restarted in the ASP.NET web server)?

Also see the Forms Authentication Tickets section of this MSDN library article

A few things I can think of to check:

Do you have multiple domains (including www.domain.com vs domain.com)?

If so, either set the domain in the cookie as domain.com or ensure you always use the same domain

Are you using HTTPS?

If so, make sure you’re always accessing the cookie via HTTPS or making sure that Secure is set to false on the HttpCookie (otherwise it’s only accessible on HTTPS requests)

Are you writing the cookie from a virtual directory?

If so, the “path” on the cookie might be set and it won’t be accessible from outside the path.

Do you have multiple web servers?

If so, make sure your machine key is set to the same value (though that should be throwing an exception)

Leave a Reply

Your email address will not be published. Required fields are marked *