We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox is prematurely deleting asp.net session cookies before their expiration time.

  • 4 replies
  • 1 has this problem
  • 1 view
  • Last reply by Kirk9

more options

I create an Asp.Net Session Coookie using Microsoft's owin Identity 2.0 on my website, and it has an expiration of 7 days. This works perfectly for IE, Chrome, and Safari.

However Firefox seemingly randomly deletes this cookie before the expiration date/time. My test pattern is like this: Sign in to my website. The cookie is there and I'm authenticated. Close Firefox, and re-open, then re-navigate to my website. I'm automatically signed in, just like I should be. Now Close Firefox and wait between 30mins - 24hours.

Now I Re-open Firefox, navigate to my website, and then one of two things happens. Generally, I'm signed out and have to re-sign in (the cookie is gone). However about 30% of time, I'll be logged in automatically. If I close firefox and re-open immediately, I'll be signed out. This time period varies by as much as 24 hours, and this happens across multiple (20+) Windows 7 computers.

Sometimes I'm signed back in and everything works fine, but this is rare, and usually less than an hour.

I'm using version 37 and 38 for testing (most testing has been done on: 38.0.5 Build ID 20150525141253).

I have Firefox set to Accept Cookies, not to delete cookies on close. I've tried adding my domain to the "allow" exceptions list. I've scoured forums and stack-overflow with no luck. I'm stumped and my client is unhappy. Any thoughts?

I create an Asp.Net Session Coookie using Microsoft's owin Identity 2.0 on my website, and it has an expiration of 7 days. This works perfectly for IE, Chrome, and Safari. However Firefox seemingly randomly deletes this cookie before the expiration date/time. My test pattern is like this: Sign in to my website. The cookie is there and I'm authenticated. Close Firefox, and re-open, then re-navigate to my website. I'm automatically signed in, just like I should be. Now Close Firefox and wait between 30mins - 24hours. Now I Re-open Firefox, navigate to my website, and then one of two things happens. Generally, I'm signed out and have to re-sign in (the cookie is gone). However about 30% of time, I'll be logged in automatically. If I close firefox and re-open immediately, I'll be signed out. This time period varies by as much as 24 hours, and this happens across multiple (20+) Windows 7 computers. Sometimes I'm signed back in and everything works fine, but this is rare, and usually less than an hour. I'm using version 37 and 38 for testing (most testing has been done on: 38.0.5 Build ID 20150525141253). I have Firefox set to Accept Cookies, not to delete cookies on close. I've tried adding my domain to the "allow" exceptions list. I've scoured forums and stack-overflow with no luck. I'm stumped and my client is unhappy. Any thoughts?

Chosen solution

It turns out that Firefox was the only browser behaving correctly. I finally traced the bug to an error in how MS Identity 2.0 was handling the "remember me" cookie. The cookie was getting overwritten on successful login, but only after the session had expired on IIS.

The bug is supposed to be fixed in MS Identity 2.2.1 alpha. as per:

https://aspnetidentity.codeplex.com/workitem/2319

Read this answer in context 👍 0

All Replies (4)

more options

It simply means that the runtime of the application has expired. See: http://blogs.msdn.com/b/david.wang/ar.../why-do-i-lose-asp-session-state-on-iis6.aspx

more options

When you are starting Firefox, before going to the site, could you check whether the session cookie is still set? There are many ways to access the Cookies dialog, including:

  • Paste chrome://browser/content/preferences/cookies.xul into the address bar and press Enter (I suggest bookmarking this if you plan to use it often)
  • Options > Privacy > [Firefox will: Use custom settings for history] > "Show Cookies" button
  • Type or paste about:permissions in the address bar and press Enter

Each of those has a search box to filter the list so you can get to your site quickly.

more options

guigs2 said

It simply means that the runtime of the application has expired. See: http://blogs.msdn.com/b/david.wang/ar.../why-do-i-lose-asp-session-state-on-iis6.aspx

Thanks for your response guigs2. This doesn't seem to be the issue. I've just forced the app-pool to recycle, and even restarted IIS. My session was maintained across both events in all browsers. (I used a fresh login on Firefox to ensure I'd not run into any time-out issues).

For what it's worth, I'm using IIS8.

Thanks for your suggestion!

more options

Chosen Solution

It turns out that Firefox was the only browser behaving correctly. I finally traced the bug to an error in how MS Identity 2.0 was handling the "remember me" cookie. The cookie was getting overwritten on successful login, but only after the session had expired on IIS.

The bug is supposed to be fixed in MS Identity 2.2.1 alpha. as per:

https://aspnetidentity.codeplex.com/workitem/2319