4

On an application that has form based authentication, I have a standard ASP.NET Login control with the following Authenticate event handler.

void Login_Authenticate(object sender, AuthenticateEventArgs e)
{
    if (Security.AuthenticateUser(Login.UserName, Login.Password))
    {
        e.Authenticated = true;
        RedirectFromLoginPage(Login.UserName);
    }
    else
    {
        e.Authenticated = false;
    }
}

The RedirectFromLoginPage function goes like this : 

private void RedirectFromLoginPage(String username)
{
    String returnUrl = GetReturnUrl();
    FormsAuthentication.SetAuthCookie(username, true, "/");
    Response.Redirect(returnUrl, true);
}

This works fine in 99% of cases. However, I sometimes get support calls from people who can't log in. They will enter their credentials, get redirected back to the home page (which is what happens when everything works fine) but they won't be logged in.

Figuring it might be a cookie problem, I tried to reproduce the problem in my environment by setting my privacy options to "Block All Cookies" and I was able to reproduce the problem. The SetAuthCookie function is called, but on the next page load HttpContext.Current.User.Identity.IsAuthenticated returns false.

In my web.config, the authentication is set like so :

<authentication mode="Forms">
  <forms loginUrl="..." timeout="180" cookieless="AutoDetect"/>
</authentication>

Reading the documentation on MSDN about AutoDetect and SetAuthCookie, I got that :

AutoDetect Specifies that cookies are used, if the device profile supports cookies; otherwise, cookies are not used.For desktop browsers that are known to support cookies, a probing mechanism will be used to try to use cookies, when enabled. If a device does not support cookies, no probing mechanism will be used.

FormsAuthentication.SetAuthCookie : Creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, using the supplied cookie path, or using the URL if you are using cookieless authentication.

I would of thought that in my scenario, cookieless authentication would of been used but it isn't (I don't see anything in the QueryString after the redirect anyway).

If I set a breakpoint in the RedirectFromLoginPage function and test some values I get : 

bool cookieSupport = Request.Browser.Cookies; //"true"
bool redirectWithCookies = Request.Browser.SupportsRedirectWithCookie; //"true"
HttpCookieMode currentMode = FormsAuthentication.CookieMode; //"AutoDetect"

I'm not sure if the Request.Browser.Cookies is meant to be true or not here. The browser does support cookies, but they are all blocked...

Anyway, I got to remote for a few minutes on a machine where the problem was happening. The privacy settings were set to medium so it should of been able to accept cookies. It was a standard Win7 / IE8 setup. I tried adding the website to the user's trusted zone, to login via https but it didn't work. Other problem setups were similar (nothing really stands out with the machines and the users tell me they have no problems on other websites)

So what am I doing wrong here?

Improve this question

2 Answers 2

Reset to default
1

Do you specify the domain for the forms authentication cookie in the web.config file? And does it match the domain for the website?

I believe Medium security settings in IE block third party cookies so the problem could be IE thinking your authentication cookie is a third party cookie.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I don't, but wouldn't this problem be avoided by adding the site to the trusted zone?
Assuming the default privacy levels haven't been changed, yes, that should do it. Just make sure you close all IE sessions after adding the site to the Trusted zone before testing the change.
One other thought, try emptying the browser cache. I seem to remember a full cache causing problems with forms authentication in the past (only in IE).
Yes i've done that (both emptying the cache and restarting IE) to no avail. The fact that it just doesn't detect that it should use cookieless is what worries me. Thanks for your help.
You might want to download and install an eval copy of IEWatch (iewatch.com) if you can. This tool will allow you to see what is happening to the cookie on the users browser.
1

A similar problem occured for me. But it was only for Internet Explorer 8. After some research, I figured that IE8 runs on cookiless mode by default. So, I changed this line in web.config: <forms loginUrl="..." timeout="180" cookieless="AutoDetect"/> to <forms loginUrl="..." timeout="180" cookieless="UseUri"/>, and it works fine.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.