Forms Authentication - Sudden Redirect Failure on Login

[Stephen Davies]

I have a strange problem, for months now we have had a dotnet 2.0 application
(previously 1.1 but now upgraded) running on a 2003 server without issue. A
recent small change was made to the sites underlying code and tested on the
development platform of Windows XP, migrated to the QA platform (a Win 2003
server) and finally migrated to production.

Just when you think you are following best practice procedures and fully
testing in each environment the production system fails the login (forms
authentication) for everyone. Now the change was to the binary alone so
that's all that was replaced (I am using the VS2005 Web Deployment Project
tool), so reverting the single old binary in the bin folder brought back the
old login functionality.

The code was reviewed, nothing in the login process was altered, debugging
was added to show that the user was actually authenticated and retrieval of
user data from the login further confirmed that. Its just when the redirect
happens (confirmed correct with debug.writeline of GetRedirectUrl) that it
seems forms authentication intercepts again and redisplays the login page (as
if via a redirect, is not a postback). I have installed fiddler and it looks
like the authentication cookie is correctly placed, I have even tried setting
the authentication as cookieless, still the problem persists.

I have also moved the code binary (and site) to another win2003 server box,
again all works fine. Move the binary back to the production server and the
login fails on redirect again!

I can only assume there is something wrong with the .Net framework on the
production server so did the following:
Shut down IIS,
delete the cache from
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files (using
shift delete, and empty the recycle bin to be sure)
Restart IIS and observe the recreation of the cache.

Still the problem persists, I am lost and at wits end! I have changes that
need to go into production and short of rebuilding the machine (I know that
would fix it) I have run out of ideas.

Does anyone have some fresh ideas or experienced this before themselves

 

[Luke Zhang [MSFT]]

Hello Stephen,

I suggest you may create a very simple form authentication web application
and deply to the production server, to test if it is a IIS or .NET
framework issue. Also, did the problem occur you update a new version of
the binary assembly? Is the web.config file changed before the problem
happened?

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Stephen Davies]

Thanks for the response Luke

I suggest you may create a very simple form authentication web application
and deply to the production server, to test if it is a IIS or .NET
framework issue.

How does this point to an IIS or .Net issue?

I have the application deployed in a Production and Test site on the same
IIS Server (different IP addresses & domain names) with the problem
exhibiting the same symptoms on both sites. Move the same code (binary &
aspx) to any number of other Win2003, Win2K and WinXp machines and the code
works perfectly (as it has done for more that 12 months).

Also, did the problem occur you update a new version of
the binary assembly?

Yes, the previous binary (on the production machine) still works (for some
odd reason)

 

[Luke Zhang [MSFT]]

Hello,

Thank you for the update. Have you tried compile the project on the
production server? Also, I saw you work with VS2005 and your original
project is with .NET framework 1.1. Is it possible there is problem on .NET
framework version? You may check the site's property in IIS manager, and
select the ASP.NET tab, the .NET framework version registered is there.

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Stephen Davies]

Hello,

Thank you for the update. Have you tried compile the project on the
production server?

This is not an option as the machine is a dedicated server (lots of red tape
to get through). Shouldn't make any difference.

I think you are missing the point here. The application has worked for
nearly 12 months on this machine under the dotnet 2.0 framework, I can copy
the site to other machines (that are dotnet 2.0) and the login process
redirect works perfectly (win2k, win2003 and XP). I am sure its something in
the framework that needs tending to, I just don't know what.

Also, I saw you work with VS2005 and your original
project is with .NET framework 1.1.

It was upgraded to 2.0

Is it possible there is problem on .NET framework version?

No, it is 2.0, it wouldn't work at all compiled with vs2005 if the framework
was 1.1

 

[Luke Zhang [MSFT]]

Hello Stephen,

Could you please show us the code you used for form authentication, for
example, how did you call RedirectFromLoginPage method in your code? Is
CookiePath specified in the method?

Thanks,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Stephen Davies]

Remember this authentication method has been working for 6 months or more
under .net 2.0 and at least 12 months before that under .net 1.1.

The executable currently running on the box is still working!!! Its just
when I recompile this one it fails. Move the executable and pages to another
machines its fine, move it back to this one and it fails. This is what makes
me think its a .net thing not a code this but here it is anyway:

DateTime dtTimeout;
if (bPersistant)
dtTimeout = DateTime.Now.AddMonths(6);
else
dtTimeout = DateTime.Now.AddMinutes(60);

FormsAuthentication.Initialize();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
strUser.ToUpper(), // Username associated with ticket
DateTime.Now, // Date/time issued
dtTimeout, // Date/time to expire
bPersistant, // "true" for a persistent user cookie
role, // User-data, in this case the roles
FormsAuthentication.FormsCookiePath); // Path cookie valid for

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);

The last Debug.WriteLine has the correct redirectURL in it, it is just
intercepted and front ended with the login page once again with the requested
redirect URL (target secured page) in the ReturnUrl querystring variable.

 

[Stephen Davies]

Didn't have the methods header on the last post so here is it complete:

/// <summary>
/// The central core for processing the forms authentication
/// This has been located in the common PageBase to allow
/// external function to call it and automatically log the
/// user into the system.
/// </summary>
/// <param name="redirectURL"></param>
/// <param name="role"></param>
/// <param name="strUser"></param>
protected void FormsAuthCore(string redirectURL, string role, string
strUser, bool bPersistant)
{
DateTime dtTimeout;
if (bPersistant)
dtTimeout = DateTime.Now.AddMonths(6);
else
dtTimeout = DateTime.Now.AddMinutes(60);

FormsAuthentication.Initialize();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
strUser.ToUpper(), // Username associated with ticket
DateTime.Now, // Date/time issued
dtTimeout, // Date/time to expire
bPersistant, // "true" for a persistent user cookie
role, // User-data, in this case the roles
FormsAuthentication.FormsCookiePath); // Path cookie valid for

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

// Don't call FormsAuthentication.RedirectFromLoginPage since it could
// replace the authentication ticket (cookie) we just added
// string fred = FormsAuthentication.GetRedirectUrl(strUser, false);
// Debug.WriteLine("FormsAuthCore GetRedirectURL (not used) ->" + fred);

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);
}

 

[Luke Zhang [MSFT]]

Hello Stephen,

Thank you for the code. After review the code, I suggest you may check
following issues:

1. Since you have check the redirectURL, and confirm it is correct. You may
also check these values: FormsCookiePath, DateTime.Now and dtTimeout. ( I
understand the system has been working for months, and these values are
almost no problem. But it is still worthy of a try to ensure we have check
everything there).
2. Temporarily use FormsAuthentication.RedirectFromLoginPage instead
setting cookies by code. (Just ensure there is no problem on the cookies ).

Please let me the result of above tests. I am looking forward to hear from
you.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Stephen Davies]

FormCookiePath is "/"

dtTimeout set to one hour from the login time (in the case of non persistent)

DateTime.Now is correct

Removing the code

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

// Don't call FormsAuthentication.RedirectFromLoginPage since it could
// replace the authentication ticket (cookie) we just added
// string fred = FormsAuthentication.GetRedirectUrl(strUser, false);
// Debug.WriteLine("FormsAuthCore GetRedirectURL (not used) ->" + fred);

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);

----------------------------------------------------------------
and replacing with
----------------------------------------------------------------

FormsAuthentication.RedirectFromLoginPage(strUser.ToUpper(), bPersistant);
return;

Yields the problem on ALL platforms, the redirect does not happen. Switch
back to the original code and it functions correctly (with the redirect to
the desired secured page), interesting?

The redirect still gets intercepted by the login authorisation on the
production platform in either scenario.

Regards
Stephen Davies

 

[Luke Zhang [MSFT]]

Just ensure we don't miss the simplest thing: If you copy the web.config
from QA Server to the production sever, what is the result? Also, have you
test the application by loging on the production server, opening IE and
browsing thr web application? This make us ensure if there is any problem
like proxy or firewall.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Stephen Davies]

Refer my original post, I have copied to complete site (web config included)
to another win2003 box and it works perfectly

As I mentioned I am sure its a .net problem not an application problem.

 

[Luke Zhang [MSFT]]

To confirm if this is .NET framework issue, you may first try to
re-register the ASP.NET on the server:

Aspnet_regiis -ua

and then:

Aspnet_regiis -i

For more details on Aspnet_regiis:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1
f74eac5-9005-4f91-9137-f63b73eefde8.mspx?mfr=true

And you also can try to repair the framework:

http://support.microsoft.com/?scid=kb;en-us;306160

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[kelghayesh]

Any resolution to this issue? I have a similar problem: developing a
web app in VS 2005 using forms authentication. My dev box is win XP and
the app is in c#. Forms authentication used to work just fine on my dev
box. Recently, the login page is not redirecting to the return URL, and
I keep getting the login page back. I have a directory in the app with
all the pages that require login. The directory as well as the login
page are defined in web.config. Last version of the app is deployed to
a win2003 server is working fine there. Now, I can't deploy the latest
version until I fix forms authentication on my dev box and figure out
what's going on?

The code is very similar to Stephen's and the debug statements yield
similar values. Sounds like an environment issue but I can't figure out
what has happened. What do you guys think. Thanks, Khaled.

 

[Stephen Davies]

Hi Like (and Khaled)

Well unfortunately we could not wait any longer and the box was rebuilt
before I could resolve this issue.

Upon reloading the site from the development XP machine (which has always
worked) the production site functions as expected with the correct redirect.

Thank you Luke for your attempts to resolve the issue and Khaled, sounds
like you have a problem in your code if none of the platforms work. In my
case the development platform functioned correctly but when shipping the
login page and executable to the production environment failed, this said to
me the code was fine.

Do what Luke suggested and create a new simple project aspnet authentication
project and see if that functions in your test environment. If it does then
you need to look deeper into your code. You might further prove the code by
shipping the aspx and assembly to another machine and trying it there.