I have experienced a problem on my site starting this morning, where users are not being properly authenticated. Once a user enters their username and password, the password appears to get verified, but Authentication is lost when being redirected to the next page. The site has been working fine, and this error seems to occur for one user, while other users are fine. I'm not recieving any errors. One test user was having problems with his account, but I could log in with the same test account. I've tried clearing cach and cookies and it did not help. I'm using sqlserver sessionstate and have a machinekey in my web.config. Are you aware of any other Authenticaion issues on the servers? Not sure if this is specific to my site or others...ie it is a microsoft identity problem or something on my end. I'm guessing it is not properly setting Authentcation cookies. But not sure why this would happen sometimes but not others.
Update - While troubleshooting this problem on my website i realized that the login authentication problem was tied to the existence of the ASP.NET_sessionID cookie. If cookies are cleared and I return to my home or login page, no ASP.NET_sessionID cookie would be present and I would not be properly authenticated at login. However, if I would go to a page where I actually use session variables, the ASP.NET_sessionID cookie would be set and once I returned to the login page, I could successfully login and be authenticated. Bottom line is that if I attempt a Login prior to setting a session variable, authentication fails. This appeared random in the login process, because it actually depended on where in the website the user had visited prior to arriving at the login page. My temporary fix is to simply add a unnecessary session variable assignment when I load the Login and Register pages. However, this seems like I'm creating a work around but possibly missing the real issue. My concern is that session variable may not be getting set right. The pages were session variable are used seem to be functioning right. However, when I inspect my SQLdatabase for storing session variables, entries don't seem to be being recorded fully. An entry is recorded in the tempsession table, but the sessionvariable table remains empty. Any comments on whether the sessionvariable table should be populated would be greatly appreciated.
These pages where they may not have an explicit defined sessions variables, where exactly do they exists? Do they exists in their own subfolder setup as their application folder? In which case, that application subfolder maybe setup to not use SQL session and rather use InProc session.
