3

I'm having problem with our login procedure.

Some customers complain that they can't login. I can see in our logs that their login is successful and that they are redirected from the login page to the member area. But there somehow the login isn't detected and they are bounced back to the login page.

I've asked customers to check if cookies are supported (http://www.html-kit.com/tools/cookietester/) but problem remains even if this test returns true.

This is how I've implemented the login procedure (simplyfied):

protected void Login(string email, string password)
{

FormsAuthentication.SignOut();


Guid clientId = /* Validate login by checking email and password, if fails display error otherwise get client id */


FormsAuthentication.SetAuthCookie(clientId.ToString(), true);

HttpContext.Current.Response.Redirect("~/Members.aspx");


}

On the member page I check for authentication by in Page_Load function:

public static void IsAuthenticated()
{
 if (!HttpContext.Current.User.Identity.IsAuthenticated)
 {
         HttpContext.Current.Response.Redirect("~/Login.aspx", true);
 }
}

Maybe I'm using FormsAuthentication completely wrong?

I've asked this before but still haven't been able to figure this out, I'd appreciate any help.

From my Web.Config:

<system.web>
    <compilation debug="false">
      <assemblies>
       ...
      </assemblies>
    </compilation>
    <authentication mode="Forms"/>
    <sessionState mode="InProc" cookieless="false" timeout="180"/>
    <customErrors mode="On"/>
    <httpHandlers>
    ...
    </httpHandlers>
    <httpModules>
    ...
    </httpModules>   </system.web>
Improve this question
2
  • you miss the loginpage and the deny all users (see my answer). Commented Jun 3, 2010 at 9:03
  • Note that the current login procedure work for most customers (99%). Commented Jun 3, 2010 at 9:19

3 Answers 3

Reset to default
2

public static void IsAuthenticated() { if (!HttpContext.Current.User.Identity.IsAuthenticated) { HttpContext.Current.Response.Redirect("~/Login.aspx", true); } }

is not necessary when you use forms authentication.

When you specify the forms authentication in the web.config (in which you also specify the login page)

<authentication mode="Forms">
  <forms loginUrl="/Authorization/Login" timeout="60" />
</authentication>

and you deny all non-athenticated users access

<authorization>
          <deny users="?" />
      </authorization>

you don't have to check the authentication of a user yourself, the framework takes care of that.

I would place the FormsAuthentication.SignOut(); code behind a 'logout' link

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

As I have a bit weird requirements I can't use traditional ASP.NET authentication... I'm stuck with using SetCookieAuth and Identity.IsAuthenticated.
1

Seperate the call of SignOut() and SetAuthCookie() in different methods. You may call FormsAuthentication.SignOut(); when the Login page loads first time - simply just do away from calling SignOut() on Login page. And Call FormsAuthentication.SetAuthCookie(clientId.ToString(), true); after authentication is successful.

Improve this answer

1 Comment

Tried this but it didn't have any effect :(
1

Normally you would use FormsAuthentication.Authenticate together with some membership provider, but this should work, and it actually does in my machine.

Are you removing the FormsAuthentication from your registered HTTP modules? Normally, this is in the machine wide web.config:

<configuration>
  <system.web>
    <httpModules>
      <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"  />
    </httpModules>
  </system.web>
</configuration>

If you put a <clear /> inside that same section of your own web.config, you're effectively removing that module.

My tested Web.config is pretty clean, it only has <authentication mode="Forms"/> configured.

Improve this answer

2 Comments

No I haven't removed it. Note that the problem is not affecting everyone.
How do you perform your login?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.