I recently moved a website from one host to another.
Before the move the forms authentication was working as normal, and users stayed logged in across sessions.
After the move users get logged out after a seemingly random amount of time.
I checked the network traffic and the .aspxauth cookie was being sent to the server.
I debugged the problem locally and again the cookie is sent, but it does not appear in Request.Cookies. Google tells me that this is because if ASP.NET can't decrypt the .aspxauth cookie then it sneakily strips it out of the Request.Cookies collection.
Thanks
It seems a bit ridiculous that ASP.NET can't decrypt a cookie that it encrypted itself, but this is indeed what happens.
To encrypt the cookie, ASP.NET uses the MachineKey setting in web.config or machine.config. Unfortunately the default setting for this "AutoGenerate,IsolateApps", in which case ASP.NET generates a new value every time the app pool recylces, and thus can't read in existing cookies.
The way to get around this is to specify a key in web.config or machine.config, there are some online tools to generate one (such as http://www.developerfusion.com/tools/generatemachinekey/) and some offline tools for the more paranoid (http://www.codeproject.com/Articles/16645/ASP-NET-machineKey-Generator)
When done it should look something like this:
<machineKey
validationKey="12365A372...etc...34897"
decryptionKey="A76568...etc...1239847FD"
validation="SHA1" decryption="AES">