This project is read-only.

Cookie authnetication not working on IIS 8.5


OWIN Cookie authentication, seems to work fine on Windows 10/IIS 10, but not on Windows 2012 server with IIS 8.5.

When I login (with the IsPersistent setting to true) and close the browser, I am still logged on when I start my browser again, so that's OK. But when I restart IIS and startup the browser, I have to logon again.

I have created a very simple application to test this, with the following code:

public void ConfigureAuthentication(IAppBuilder app)
        app.UseCookieAuthentication(new CookieAuthenticationOptions
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Login"),
            CookieName = "ThisIsTheAuthCookie"
public ActionResult Login(string userName, string password)
        //For testing purposes every user/pwd is fine
        var identity = new ClaimsIdentity(new [] { new Claim(ClaimTypes.Name, userName), },
            ClaimTypes.Name, ClaimTypes.Role);

        HttpContext.GetOwinContext().Authentication.SignIn(new AuthenticationProperties { IsPersistent = true }, identity);

        return RedirectToAction("index", "home");
Even Chrome shows the cookie, but it looks like OWIN is not using it on IIS 8.5:


scheelings wrote Oct 3, 2016 at 2:23 PM

Hmmm, maybe I have to submit this issue at

bdorrans wrote Oct 3, 2016 at 5:53 PM

Yup, cookie is part of katana itself, rather than identity.

One thing to check though is do you have a fixed machine key in your config? That's what is used to encrypt the cookies. If you haven't specified one then IIS will generate a new one every time the app pool starts, and old cookies will be invalidated.

scheelings wrote Oct 3, 2016 at 11:00 PM

@bdorrans, it was indeed the MachineKey.