iis - ASP.Net Core Identity login status lost after deploy

Question

I am using ASP.Net Core and MS Identity, I try to understand why after each deployment the login users are logged out. I am running on a IIS 8.5

I have been trying the method in this thread (setting static machine key) ASP.NET Identity 2 relogin after deploy by generating static keys at the server level in IIS UI and adding the following to web.config of the website:

<system.web>
    <machineKey validationKey="XXX"
        decryptionKey="XXX"
        validation="SHA1" decryption="AES"/>
</system.web>

However the problem remains:

• User logs in
• Stop site
• Start site
• The user needs to log in again

But I also go this:

• User logs in
• Restart site
• The user is still logged in

What can cause the user to be logged off? Any idea on how to avoid that?

Answer 1

(solution split into a separate answer following Chris comment)

I found a solution to keep the login status, it survives website stop/start, and an update of the website source folder:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
            // This helps surviving a restart: a same app will find back its keys. Just ensure to create the folder.
            .PersistKeysToFileSystem(new DirectoryInfo("\MyFolder\keys"))
            // This helps surviving a site update: each app has its own store, building the site creates a new app
            .SetApplicationName("MyWebsite")
            .SetDefaultKeyLifetime(TimeSpan.FromDays(90));
}

With these additional lines and the machine key set, the login data stays after site stop/start and IIS server restart, and if the site is rebuilt.

More information there: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

More proposed by justserega: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?tabs=aspnetcore2x#data-protection