ASP.NET - User.Identity.IsAuthenticated returning false unexpected

Discussion in 'ASP .Net Security' started by taylomic, Dec 19, 2008.

  1. taylomic

    taylomic Guest

    Overview: ASP.NET - Page.User.Identity.IsAuthenticated returning false
    mid-session, only when not using SSL and only when the client machine is
    Windows Vista or Server 2008.

    I'm experiencing a bizarre issue with ASP.NET membership authentication
    where, mid-session, during a page request in which I am checking
    Page.User.Identity.IsAuthenticated, it will return as false and then, in
    subsequent pages, it will return as true again.

    To make the issue more interesting, we only discovered that this was an
    issue when we started getting reports from our customers that they were
    randomly not authenticated on certain pages, but only when they were using
    Windows Vista or Windows Server 2008. Windows 2000, Windows XP, and Windows
    Server 2003 (all with ie6 or ie7) are fine. Additionally, our customers that
    were using SSL (https) to host our product were not reporting the same
    issues. Further testing revealed that the issue does not occur at all if the
    site is hosted via SSL, but the exact same site accessed via plain old HTTP
    produces the issue only in when accessed via Vista and 2008 clients.

    I've created a small example solution that demonstrates the issue. I also
    tested this using .Net 2.0 (Visual Studio 2005) and .Net 3.5 (Visual Studio
    2008) and from different IIS versions, 6 and 7.

    I've whipped up a miniature example project that shows the problem.

    I'm hosting the example at:

    I'm hosting the example via SSL at:

    You can download the example project at:

    The example project is an ASP.NET front end with a .NET VB DLL backend and
    an ASP.NET membership database with open-enrollment. When logged in, the user
    can view an image or a video (via Windows Media Player object/embed). Both
    the image and the video are presented in roughly the same way, but the video
    fails every time (from a Vista or 2008 client machine via non-SSL) because a
    check is done to confirm that the user is authenticated during the init of
    each page render that is coming back false even though the user is logged in
    and continues to be logged in during subsequent page requests. The image and
    video data is produced, in this example as it is in our actual product, via a
    response.binarywrite of the data directly. My best guess is that media
    player 11, which Vista and Server 2008 share in common, is producing the

    Note: Should you try the example project above or download the project to
    work with locally, i've created a user in the database already, but you can
    create your own if you wish. Username: user Password: a

    If anyone can shed some light on this or has any ideas, please respond. (Let
    me know if I should post any code snippets... everything is included in the
    project download above)

    Thank you.

    Mike Taylor
    Software Engineer

    Bold Technologies
    taylomic, Dec 19, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.