Users who use certain client computers cannot log on to an ASP.NET application that uses forms authentication after you apply the daylight saving time 2007 update on the Web server that hosts the application

Consider the following scenario. You have a Microsoft ASP.NET application that uses ASP.NET forms authentication. You apply the daylight saving time (DST) 2007 update on the Web server or the Web servers that host this application. In this scenario, users who use certain client computers can no longer log on to the application.

When the user enters the correct credentials, that user is not redirected to the requested Web page as expected. Instead, the affected user is returned to the logon page.

This issue occurs if the client computer has not been updated by using the DST 2007 update.

When a user logs on to ASP.NET forms authentication, the Web server issues a cookie to the client computer. By default, this cookie is set to expire 30 minutes after it was issued. This expiration time is based on the time zone difference from Coordinated Universal Time (Greenwich Mean Time).

Important The clock on the client computer may display the correct time. This problem occurs because the time zone information on the client computer is incorrect.

For example, the following behavior may occur:

• A cookie is sent from a Web server that is located on the East Coast of the United States.
• This cookie is sent at 14:00 (2:00 P.M.). Therefore, the cookie expiration time is calculated by using the following formula:
  The starting time is 14:00. Five hours is added to calculate Coordinated Universal Time (UTC). One hour is subtracted to account for DST. Finally, 30 minutes is added to set the cookie expiration time. Therefore, the cookie is set to expire at 18:30 UTC.
• The client computer receives the cookie. However, the client computer has not been updated for the 2007 DST changes.
• The time on the client computer is 14:00 (2:00 P.M.). However, because the time zone information is incorrect, the following calculation is made:
  The starting time is 14:00. Five hours is added to calculate UTC. The resulting time on the client computer is 19:00 UTC. Therefore, according to the client computer, the cookie expired 30 minutes before the client computer received the cookie.

Because the cookie is in an expired state, the Web browser on the client computer cannot return the cookie to the Web server. Therefore, the client cannot authenticate successfully.

To resolve this issue, update the client computers by using the DST 2007 update. For more information, visit the following Microsoft Web sites:

To work around this issue, modify the expiration time of the ASP.NET forms authentication cookie. Configure the cookie to expire in 120 minutes instead of 30 minutes. To do this, follow these steps:

1. In a text editor, open the Web.config file of the affected ASP.NET application. By default, the Web.config file is located in the root folder of the ASP.NET application.
2. In this file, locate the following lines of code:

   <authentication mode="Forms">
      <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx" protection="All" path="/" timeout="30" />

3. In the code, change the timeout value to 120. This value corresponds to the expiration of the cookie in minutes. When you modify this value, the cookie expiration allows for more than one hour of time difference between the Web server and the client computer.
4. Save the changes to the Web.config file, and then exit the text editor.
   
   The ASP.NET application automatically restarts.

This behavior is by design.