Forms Auth cookie vanishes immediately after login

Discussion in 'ASP .Net' started by 23s, Jul 2, 2004.

  1. 23s

    23s Guest

    I had this problem in the past, after a server reformat it went away, and
    now after another server reformat it's back again - no clue what's doing it.
    Here's the flow:

    Website root is public, no SSL no forms auth. One of the subfolders in the
    public area is the root of a "protected" area; SSL is required from this
    subfolder on forward and a web.config in the subfolder specifies forms
    authentication. From the public area, I provide a link to a "welcome" page
    in the protected area - if welcome page is requested, user is bounced to
    login.aspx, and if successful login (integrated with AD) they get the
    welcome page.

    This part works, I can arrive to the site, request the protected "welcome"
    page, get the login.aspx, log in with my AD creds, and get the welcome page.
    Turning trace on shows the forms auth cookie to exist on the welcome page.
    Because I am integrated with AD I'm using role-based security in web.configs
    and so I'm impersonating in every subsequent request. On the next request,
    the forms auth cookie is gone when Authenticate_Request fires. AFAIK I
    don't have any code between the output of the trace on "welcome" page and
    the Authenticate_Request in global.asax. The cookie is being destroyed
    sometime after I login and the welcome page is delivered, but I can't figure
    out where or by what.

    Consequently, the only part of my secure area I can access is the welcome
    page. Once I'm there, my cookie goes bye-bye and any requests in the
    protected area simply bounce me to the login screen again.

    What would cause a cookie be created and then seemingly disappear once I'm
    logged in? The website code is stored in VSS and hasn't changed in months;
    this code was working last week before I reformatted the web server, so I'm
    suspecting a server configuration issue - the web.configs may have changed,
    although I cannot seem to find anything wrong with them.
    23s, Jul 2, 2004
    #1
    1. Advertising

  2. 23s

    Raterus Guest

    are these pages all on the same domain name (as far as the browser knows)?

    also, have you set the path of the Forms Authentication cookie so that all the pages can read it. "/" works best

    --Michael

    "23s" <> wrote in message news:...
    > I had this problem in the past, after a server reformat it went away, and
    > now after another server reformat it's back again - no clue what's doing it.
    > Here's the flow:
    >
    > Website root is public, no SSL no forms auth. One of the subfolders in the
    > public area is the root of a "protected" area; SSL is required from this
    > subfolder on forward and a web.config in the subfolder specifies forms
    > authentication. From the public area, I provide a link to a "welcome" page
    > in the protected area - if welcome page is requested, user is bounced to
    > login.aspx, and if successful login (integrated with AD) they get the
    > welcome page.
    >
    > This part works, I can arrive to the site, request the protected "welcome"
    > page, get the login.aspx, log in with my AD creds, and get the welcome page.
    > Turning trace on shows the forms auth cookie to exist on the welcome page.
    > Because I am integrated with AD I'm using role-based security in web.configs
    > and so I'm impersonating in every subsequent request. On the next request,
    > the forms auth cookie is gone when Authenticate_Request fires. AFAIK I
    > don't have any code between the output of the trace on "welcome" page and
    > the Authenticate_Request in global.asax. The cookie is being destroyed
    > sometime after I login and the welcome page is delivered, but I can't figure
    > out where or by what.
    >
    > Consequently, the only part of my secure area I can access is the welcome
    > page. Once I'm there, my cookie goes bye-bye and any requests in the
    > protected area simply bounce me to the login screen again.
    >
    > What would cause a cookie be created and then seemingly disappear once I'm
    > logged in? The website code is stored in VSS and hasn't changed in months;
    > this code was working last week before I reformatted the web server, so I'm
    > suspecting a server configuration issue - the web.configs may have changed,
    > although I cannot seem to find anything wrong with them.
    >
    >
    Raterus, Jul 2, 2004
    #2
    1. Advertising

  3. 23s

    23s Guest

    On the same domain - it's not too big, the entire structure looks like this:

    <website root folder> website starts here in IIS
    ----[web.config] (let anyone in, no auth req'd)
    ----[content]
    ----<securesite subfolder> new app in IIS + req's SSL
    --------[web.config] (use forms auth, path="/")
    --------[login.aspx]
    --------[index.aspx] ("welcome" page, public side requests to enter
    securesite)
    --------<securesite area 1 subfolder>
    ------------[web.config] (allowed/denied roles)
    ------------[content]
    --------<securesite area 2 subfolder>
    ------------[web.config] (allowed/denied roles)
    ------------[content]
    --------<about 12 more areas, structured alike>

    So from the public http/80 side, user requests securesite/index.html on the
    https/443 side in the "securesite" app root; the forms auth in the
    securesite app sees the user is not logged in yet and gives them login.aspx.
    User enters creds, login.aspx page makes an .ASPXAUTH cookie on their client
    and redirects to index.aspx - global.asax impersonates, index.aspx is
    delivered, trace shows .ASPXAUTH exists, all appears well.

    Next request to (pick any) "<securesite area X subfolder>" sends you back to
    login.aspx - .ASPXAUTH cookie is *not* listed in the trace data, only
    ASP.NET_SessionID remains in the cookies. The SessionID stays consistant as
    you play with this so I think it's retaining the session data OK. But for
    some reason the browser is throwing out .ASPXAUTH? I've got my browser
    security completely bottomed out for the purposes of testing this and it
    doesn't seem to matter. Using the same code that worked a few weeks ago -
    can this be a server config issue? Web.config problem? Timeouts on session
    & forms auth in web.config are set to 30 mins.

    "Raterus" <> wrote in message
    news:...
    are these pages all on the same domain name (as far as the browser knows)?

    also, have you set the path of the Forms Authentication cookie so that all
    the pages can read it. "/" works best

    --Michael

    "23s" <> wrote in message
    news:...
    > I had this problem in the past, after a server reformat it went away, and
    > now after another server reformat it's back again - no clue what's doing

    it.
    > Here's the flow:
    >
    > Website root is public, no SSL no forms auth. One of the subfolders in

    the
    > public area is the root of a "protected" area; SSL is required from this
    > subfolder on forward and a web.config in the subfolder specifies forms
    > authentication. From the public area, I provide a link to a "welcome"

    page
    > in the protected area - if welcome page is requested, user is bounced to
    > login.aspx, and if successful login (integrated with AD) they get the
    > welcome page.
    >
    > This part works, I can arrive to the site, request the protected "welcome"
    > page, get the login.aspx, log in with my AD creds, and get the welcome

    page.
    > Turning trace on shows the forms auth cookie to exist on the welcome page.
    > Because I am integrated with AD I'm using role-based security in

    web.configs
    > and so I'm impersonating in every subsequent request. On the next

    request,
    > the forms auth cookie is gone when Authenticate_Request fires. AFAIK I
    > don't have any code between the output of the trace on "welcome" page and
    > the Authenticate_Request in global.asax. The cookie is being destroyed
    > sometime after I login and the welcome page is delivered, but I can't

    figure
    > out where or by what.
    >
    > Consequently, the only part of my secure area I can access is the welcome
    > page. Once I'm there, my cookie goes bye-bye and any requests in the
    > protected area simply bounce me to the login screen again.
    >
    > What would cause a cookie be created and then seemingly disappear once I'm
    > logged in? The website code is stored in VSS and hasn't changed in

    months;
    > this code was working last week before I reformatted the web server, so

    I'm
    > suspecting a server configuration issue - the web.configs may have

    changed,
    > although I cannot seem to find anything wrong with them.
    >
    >
    23s, Jul 2, 2004
    #3
  4. 23s

    23s Guest

    Correction to the above post:

    > So from the public http/80 side, user requests securesite/index.html on

    the

    it's index.aspx, not index.html; all pages are .aspx files monitored by
    asp.net/forms auth.
    23s, Jul 2, 2004
    #4
  5. 23s

    Raterus Guest

    Here is how I fixed my "dissapearing cookie" problem. I set up another
    forms authentication website, as basic as possible (everything in root
    directory at first), get that working, then gradually move that project
    toward a configuration like your current project (move pages to same
    directories, same web.config settings, etc), eventually one of two things
    will happen, it'll stop working, and you'll know exactly what you did that
    caused that to happen, or it will work great and you'll be stumped about
    what is the difference <-- if this happens, just copy everything over from
    the text project to the real project, and it should work.

    It's a little time consuming yeah, but this helped me figure out exactly
    what the problem was when I was troubleshooting one of my forms
    authentication applications..

    "23s" <> wrote in message
    news:...
    > Correction to the above post:
    >
    > > So from the public http/80 side, user requests securesite/index.html on

    > the
    >
    > it's index.aspx, not index.html; all pages are .aspx files monitored by
    > asp.net/forms auth.
    >
    >
    Raterus, Jul 3, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SWdneSBFdmFucw==?=
    Replies:
    2
    Views:
    3,067
    =?Utf-8?B?SWdneSBFdmFucw==?=
    Apr 25, 2004
  2. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    686
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  3. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    543
    Elton Wang
    Jan 8, 2005
  4. jazzdrums
    Replies:
    2
    Views:
    826
    jazzdrums
    Aug 28, 2007
  5. Eric
    Replies:
    2
    Views:
    483
Loading...

Share This Page