FormsAuthentication and Redirection fails

Discussion in 'ASP .Net Security' started by Alan Dean, Aug 11, 2004.

  1. Alan Dean

    Alan Dean Guest

    Hi,

    I am using FormsAuthentication in VS.NET 2003, but for some reason the
    authentication code does not seem to be behaving as expected.

    The behaviour looks like it is not redirecting from the login page, however
    I suspect that the problem is that the page is redirecting but the
    FormsAuthentication framework is bouncing the page straight back.

    I have built a cut-down version of my full implementation and still see the
    same behaviour. The cut-down version is:

    Web.Config:
    ------------

    ....
    <authentication mode="Forms">
    <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    timeout="20" />
    </authentication>

    <authorization>
    <deny users="?" />
    </authorization>
    ....

    Login.aspx.cs
    -----------

    ....
    private void Button1_Click(object sender, System.EventArgs e)
    {
    WriteTicket("user name", Authenticate("user name", "password") );
    }

    public static string Authenticate(string EmailAddress, string Password)
    {
    return AuthenticationTicket(EmailAddress, Password);
    }

    private static string AuthenticationTicket(string EmailAddress, string
    Password)
    {
    // we'll say that all logins are valid...
    return EncryptedTicket(EmailAddress, "Guest" );
    }

    private static string EncryptedTicket(string emailAddress, string roles)
    {
    FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    return FormsAuthentication.Encrypt(_ticket);
    }

    protected virtual void WriteTicket(string userName, string ticket)
    {
    // create a new cookie and add the authentication ticket:
    HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    ticket);
    // add this to the outgoing cookie collection:
    Response.Cookies.Add(_cookie);
    // redirect to the originally requested page:
    Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    false );
    }

    ....

    I have tried to use the following instead of
    FormsAuthentication.GetRedirectUrl(...):
    FormsAuthentication.RedirectFromLoginPage(userName, true, "/");

    Stepping through the code shows the ticket being created, encrypted and
    written to the cookie collection with no problems. I have cookies enabled on
    my browser.

    As an observation, I have run the MBSA on my machine and I have run IIS
    LockDown. Has this disabled something required by the FormsAuthentication?

    Hoping someone can help,
    Alan Dean
     
    Alan Dean, Aug 11, 2004
    #1
    1. Advertising

  2. Alan Dean

    Raterus Guest

    I think you are forgetting to allow the authenticated users...try this:

    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>

    --Michael

    "Alan Dean" <> wrote in message news:...
    > Hi,
    >
    > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > authentication code does not seem to be behaving as expected.
    >
    > The behaviour looks like it is not redirecting from the login page, however
    > I suspect that the problem is that the page is redirecting but the
    > FormsAuthentication framework is bouncing the page straight back.
    >
    > I have built a cut-down version of my full implementation and still see the
    > same behaviour. The cut-down version is:
    >
    > Web.Config:
    > ------------
    >
    > ...
    > <authentication mode="Forms">
    > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > timeout="20" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > ...
    >
    > Login.aspx.cs
    > -----------
    >
    > ...
    > private void Button1_Click(object sender, System.EventArgs e)
    > {
    > WriteTicket("user name", Authenticate("user name", "password") );
    > }
    >
    > public static string Authenticate(string EmailAddress, string Password)
    > {
    > return AuthenticationTicket(EmailAddress, Password);
    > }
    >
    > private static string AuthenticationTicket(string EmailAddress, string
    > Password)
    > {
    > // we'll say that all logins are valid...
    > return EncryptedTicket(EmailAddress, "Guest" );
    > }
    >
    > private static string EncryptedTicket(string emailAddress, string roles)
    > {
    > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > return FormsAuthentication.Encrypt(_ticket);
    > }
    >
    > protected virtual void WriteTicket(string userName, string ticket)
    > {
    > // create a new cookie and add the authentication ticket:
    > HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    > ticket);
    > // add this to the outgoing cookie collection:
    > Response.Cookies.Add(_cookie);
    > // redirect to the originally requested page:
    > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > false );
    > }
    >
    > ...
    >
    > I have tried to use the following instead of
    > FormsAuthentication.GetRedirectUrl(...):
    > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    >
    > Stepping through the code shows the ticket being created, encrypted and
    > written to the cookie collection with no problems. I have cookies enabled on
    > my browser.
    >
    > As an observation, I have run the MBSA on my machine and I have run IIS
    > LockDown. Has this disabled something required by the FormsAuthentication?
    >
    > Hoping someone can help,
    > Alan Dean
    >
    >
     
    Raterus, Aug 11, 2004
    #2
    1. Advertising

  3. Alan Dean

    Alan Dean Guest

    I'm afraid that's not it. I forgot to mention that I have tried that.

    Alan

    "Raterus" <> wrote in message
    news:...
    I think you are forgetting to allow the authenticated users...try this:

    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>

    --Michael

    "Alan Dean" <> wrote in message
    news:...
    > Hi,
    >
    > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > authentication code does not seem to be behaving as expected.
    >
    > The behaviour looks like it is not redirecting from the login page,

    however
    > I suspect that the problem is that the page is redirecting but the
    > FormsAuthentication framework is bouncing the page straight back.
    >
    > I have built a cut-down version of my full implementation and still see

    the
    > same behaviour. The cut-down version is:
    >
    > Web.Config:
    > ------------
    >
    > ...
    > <authentication mode="Forms">
    > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > timeout="20" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > ...
    >
    > Login.aspx.cs
    > -----------
    >
    > ...
    > private void Button1_Click(object sender, System.EventArgs e)
    > {
    > WriteTicket("user name", Authenticate("user name", "password") );
    > }
    >
    > public static string Authenticate(string EmailAddress, string Password)
    > {
    > return AuthenticationTicket(EmailAddress, Password);
    > }
    >
    > private static string AuthenticationTicket(string EmailAddress, string
    > Password)
    > {
    > // we'll say that all logins are valid...
    > return EncryptedTicket(EmailAddress, "Guest" );
    > }
    >
    > private static string EncryptedTicket(string emailAddress, string roles)
    > {
    > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > return FormsAuthentication.Encrypt(_ticket);
    > }
    >
    > protected virtual void WriteTicket(string userName, string ticket)
    > {
    > // create a new cookie and add the authentication ticket:
    > HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    > ticket);
    > // add this to the outgoing cookie collection:
    > Response.Cookies.Add(_cookie);
    > // redirect to the originally requested page:
    > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > false );
    > }
    >
    > ...
    >
    > I have tried to use the following instead of
    > FormsAuthentication.GetRedirectUrl(...):
    > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    >
    > Stepping through the code shows the ticket being created, encrypted and
    > written to the cookie collection with no problems. I have cookies enabled

    on
    > my browser.
    >
    > As an observation, I have run the MBSA on my machine and I have run IIS
    > LockDown. Has this disabled something required by the FormsAuthentication?
    >
    > Hoping someone can help,
    > Alan Dean
    >
    >
     
    Alan Dean, Aug 11, 2004
    #3
  4. Alan Dean

    Raterus Guest

    any reason you are using a period in front of your forms name? ".Auth", that eventually translates into the authentication cookie name, and browsers may not be like that. Also concerning my last suggestion, make sure you do that, as that is the correct way to do it.

    "Alan Dean" <> wrote in message news:...
    > I'm afraid that's not it. I forgot to mention that I have tried that.
    >
    > Alan
    >
    > "Raterus" <> wrote in message
    > news:...
    > I think you are forgetting to allow the authenticated users...try this:
    >
    > <authorization>
    > <deny users="?" />
    > <allow users="*" />
    > </authorization>
    >
    > --Michael
    >
    > "Alan Dean" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > > authentication code does not seem to be behaving as expected.
    > >
    > > The behaviour looks like it is not redirecting from the login page,

    > however
    > > I suspect that the problem is that the page is redirecting but the
    > > FormsAuthentication framework is bouncing the page straight back.
    > >
    > > I have built a cut-down version of my full implementation and still see

    > the
    > > same behaviour. The cut-down version is:
    > >
    > > Web.Config:
    > > ------------
    > >
    > > ...
    > > <authentication mode="Forms">
    > > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > > timeout="20" />
    > > </authentication>
    > >
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > ...
    > >
    > > Login.aspx.cs
    > > -----------
    > >
    > > ...
    > > private void Button1_Click(object sender, System.EventArgs e)
    > > {
    > > WriteTicket("user name", Authenticate("user name", "password") );
    > > }
    > >
    > > public static string Authenticate(string EmailAddress, string Password)
    > > {
    > > return AuthenticationTicket(EmailAddress, Password);
    > > }
    > >
    > > private static string AuthenticationTicket(string EmailAddress, string
    > > Password)
    > > {
    > > // we'll say that all logins are valid...
    > > return EncryptedTicket(EmailAddress, "Guest" );
    > > }
    > >
    > > private static string EncryptedTicket(string emailAddress, string roles)
    > > {
    > > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > > return FormsAuthentication.Encrypt(_ticket);
    > > }
    > >
    > > protected virtual void WriteTicket(string userName, string ticket)
    > > {
    > > // create a new cookie and add the authentication ticket:
    > > HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    > > ticket);
    > > // add this to the outgoing cookie collection:
    > > Response.Cookies.Add(_cookie);
    > > // redirect to the originally requested page:
    > > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > > false );
    > > }
    > >
    > > ...
    > >
    > > I have tried to use the following instead of
    > > FormsAuthentication.GetRedirectUrl(...):
    > > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    > >
    > > Stepping through the code shows the ticket being created, encrypted and
    > > written to the cookie collection with no problems. I have cookies enabled

    > on
    > > my browser.
    > >
    > > As an observation, I have run the MBSA on my machine and I have run IIS
    > > LockDown. Has this disabled something required by the FormsAuthentication?
    > >
    > > Hoping someone can help,
    > > Alan Dean
    > >
    > >

    >
    >
     
    Raterus, Aug 11, 2004
    #4
  5. Alan Dean

    Alan Dean Guest

    I've tried it with and without the period (some samples use it, some don't).

    Still doesn't work even with both suggestions implemented.

    Regards,
    Alan

    "Raterus" <> wrote in message
    news:%...
    any reason you are using a period in front of your forms name? ".Auth", that
    eventually translates into the authentication cookie name, and browsers may
    not be like that. Also concerning my last suggestion, make sure you do
    that, as that is the correct way to do it.

    "Alan Dean" <> wrote in message
    news:...
    > I'm afraid that's not it. I forgot to mention that I have tried that.
    >
    > Alan
    >
    > "Raterus" <> wrote in message
    > news:...
    > I think you are forgetting to allow the authenticated users...try this:
    >
    > <authorization>
    > <deny users="?" />
    > <allow users="*" />
    > </authorization>
    >
    > --Michael
    >
    > "Alan Dean" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > > authentication code does not seem to be behaving as expected.
    > >
    > > The behaviour looks like it is not redirecting from the login page,

    > however
    > > I suspect that the problem is that the page is redirecting but the
    > > FormsAuthentication framework is bouncing the page straight back.
    > >
    > > I have built a cut-down version of my full implementation and still see

    > the
    > > same behaviour. The cut-down version is:
    > >
    > > Web.Config:
    > > ------------
    > >
    > > ...
    > > <authentication mode="Forms">
    > > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > > timeout="20" />
    > > </authentication>
    > >
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > ...
    > >
    > > Login.aspx.cs
    > > -----------
    > >
    > > ...
    > > private void Button1_Click(object sender, System.EventArgs e)
    > > {
    > > WriteTicket("user name", Authenticate("user name", "password") );
    > > }
    > >
    > > public static string Authenticate(string EmailAddress, string Password)
    > > {
    > > return AuthenticationTicket(EmailAddress, Password);
    > > }
    > >
    > > private static string AuthenticationTicket(string EmailAddress, string
    > > Password)
    > > {
    > > // we'll say that all logins are valid...
    > > return EncryptedTicket(EmailAddress, "Guest" );
    > > }
    > >
    > > private static string EncryptedTicket(string emailAddress, string roles)
    > > {
    > > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > > return FormsAuthentication.Encrypt(_ticket);
    > > }
    > >
    > > protected virtual void WriteTicket(string userName, string ticket)
    > > {
    > > // create a new cookie and add the authentication ticket:
    > > HttpCookie _cookie = new

    HttpCookie(FormsAuthentication.FormsCookieName,
    > > ticket);
    > > // add this to the outgoing cookie collection:
    > > Response.Cookies.Add(_cookie);
    > > // redirect to the originally requested page:
    > > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > > false );
    > > }
    > >
    > > ...
    > >
    > > I have tried to use the following instead of
    > > FormsAuthentication.GetRedirectUrl(...):
    > > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    > >
    > > Stepping through the code shows the ticket being created, encrypted and
    > > written to the cookie collection with no problems. I have cookies

    enabled
    > on
    > > my browser.
    > >
    > > As an observation, I have run the MBSA on my machine and I have run IIS
    > > LockDown. Has this disabled something required by the

    FormsAuthentication?
    > >
    > > Hoping someone can help,
    > > Alan Dean
    > >
    > >

    >
    >
     
    Alan Dean, Aug 11, 2004
    #5
  6. Alan Dean

    Alan Dean Guest

    I've figured the reason why this behaviour is happening.

    I run ZoneAlarm, and it seems that it blocks cookies from http://localhost
    even when set to allow cookies... grrrr....

    Thanks to Raterus for offering assistance.

    Alan Dean

    "Alan Dean" <> wrote in message
    news:...
    > Hi,
    >
    > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > authentication code does not seem to be behaving as expected.
    >
    > The behaviour looks like it is not redirecting from the login page,

    however
    > I suspect that the problem is that the page is redirecting but the
    > FormsAuthentication framework is bouncing the page straight back.
    >
    > I have built a cut-down version of my full implementation and still see

    the
    > same behaviour. The cut-down version is:
    >
    > Web.Config:
    > ------------
    >
    > ...
    > <authentication mode="Forms">
    > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > timeout="20" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > ...
    >
    > Login.aspx.cs
    > -----------
    >
    > ...
    > private void Button1_Click(object sender, System.EventArgs e)
    > {
    > WriteTicket("user name", Authenticate("user name", "password") );
    > }
    >
    > public static string Authenticate(string EmailAddress, string Password)
    > {
    > return AuthenticationTicket(EmailAddress, Password);
    > }
    >
    > private static string AuthenticationTicket(string EmailAddress, string
    > Password)
    > {
    > // we'll say that all logins are valid...
    > return EncryptedTicket(EmailAddress, "Guest" );
    > }
    >
    > private static string EncryptedTicket(string emailAddress, string roles)
    > {
    > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > return FormsAuthentication.Encrypt(_ticket);
    > }
    >
    > protected virtual void WriteTicket(string userName, string ticket)
    > {
    > // create a new cookie and add the authentication ticket:
    > HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
    > ticket);
    > // add this to the outgoing cookie collection:
    > Response.Cookies.Add(_cookie);
    > // redirect to the originally requested page:
    > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > false );
    > }
    >
    > ...
    >
    > I have tried to use the following instead of
    > FormsAuthentication.GetRedirectUrl(...):
    > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    >
    > Stepping through the code shows the ticket being created, encrypted and
    > written to the cookie collection with no problems. I have cookies enabled

    on
    > my browser.
    >
    > As an observation, I have run the MBSA on my machine and I have run IIS
    > LockDown. Has this disabled something required by the FormsAuthentication?
    >
    > Hoping someone can help,
    > Alan Dean
    >
    >
     
    Alan Dean, Aug 11, 2004
    #6
  7. Alan Dean

    Mach Runner Guest

    Have you discoeverd how to defeat this problem?
    I am having the same problem as you ....
    "Alan Dean" <> wrote in message
    news:...
    > I've figured the reason why this behaviour is happening.
    >
    > I run ZoneAlarm, and it seems that it blocks cookies from http://localhost
    > even when set to allow cookies... grrrr....
    >
    > Thanks to Raterus for offering assistance.
    >
    > Alan Dean
    >
    > "Alan Dean" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I am using FormsAuthentication in VS.NET 2003, but for some reason the
    > > authentication code does not seem to be behaving as expected.
    > >
    > > The behaviour looks like it is not redirecting from the login page,

    > however
    > > I suspect that the problem is that the page is redirecting but the
    > > FormsAuthentication framework is bouncing the page straight back.
    > >
    > > I have built a cut-down version of my full implementation and still see

    > the
    > > same behaviour. The cut-down version is:
    > >
    > > Web.Config:
    > > ------------
    > >
    > > ...
    > > <authentication mode="Forms">
    > > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
    > > timeout="20" />
    > > </authentication>
    > >
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > ...
    > >
    > > Login.aspx.cs
    > > -----------
    > >
    > > ...
    > > private void Button1_Click(object sender, System.EventArgs e)
    > > {
    > > WriteTicket("user name", Authenticate("user name", "password") );
    > > }
    > >
    > > public static string Authenticate(string EmailAddress, string Password)
    > > {
    > > return AuthenticationTicket(EmailAddress, Password);
    > > }
    > >
    > > private static string AuthenticationTicket(string EmailAddress, string
    > > Password)
    > > {
    > > // we'll say that all logins are valid...
    > > return EncryptedTicket(EmailAddress, "Guest" );
    > > }
    > >
    > > private static string EncryptedTicket(string emailAddress, string roles)
    > > {
    > > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
    > > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
    > > return FormsAuthentication.Encrypt(_ticket);
    > > }
    > >
    > > protected virtual void WriteTicket(string userName, string ticket)
    > > {
    > > // create a new cookie and add the authentication ticket:
    > > HttpCookie _cookie = new

    HttpCookie(FormsAuthentication.FormsCookieName,
    > > ticket);
    > > // add this to the outgoing cookie collection:
    > > Response.Cookies.Add(_cookie);
    > > // redirect to the originally requested page:
    > > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
    > > false );
    > > }
    > >
    > > ...
    > >
    > > I have tried to use the following instead of
    > > FormsAuthentication.GetRedirectUrl(...):
    > > FormsAuthentication.RedirectFromLoginPage(userName, true, "/");
    > >
    > > Stepping through the code shows the ticket being created, encrypted and
    > > written to the cookie collection with no problems. I have cookies

    enabled
    > on
    > > my browser.
    > >
    > > As an observation, I have run the MBSA on my machine and I have run IIS
    > > LockDown. Has this disabled something required by the

    FormsAuthentication?
    > >
    > > Hoping someone can help,
    > > Alan Dean
    > >
    > >

    >
    >
     
    Mach Runner, Aug 13, 2004
    #7
  8. Alan Dean

    Faassen, B. Guest

    I have the same problem. I dont use ZoneAlarm or whatever. Even a fresh WinXP installation gives the same result. It always returns back to the login page while authentication was succesfull!

    I tried several browsers also. Some will be returned back to the login page and others continues to the next requested page. If returned back to the login page most of the times I can request the real url again and I will get it. Thus the authentication was successfull but IIS or ASP.NET or whatever doesnt notice that...


    Barry
     
    Faassen, B., Aug 27, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joel Wagner

    Redirection of stdout fails on Windows

    Joel Wagner, Oct 9, 2003, in forum: Python
    Replies:
    1
    Views:
    790
    Daniel Dittmar
    Oct 10, 2003
  2. Cirene
    Replies:
    2
    Views:
    566
    Cirene
    Jun 25, 2008
  3. studen77

    FormsAuthentication Redirection NOT WORKING!!

    studen77, Jan 1, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    146
    Paul Glavich [MVP ASP.NET]
    Jan 2, 2005
  4. Peter
    Replies:
    1
    Views:
    176
    -berlin.de
    Jul 19, 2007
  5. Peter
    Replies:
    1
    Views:
    112
    Brian McCauley
    Jul 20, 2007
Loading...

Share This Page