FormsAuthentication and Redirection fails

[Alan Dean]

Hi,

I am using FormsAuthentication in VS.NET 2003, but for some reason the
authentication code does not seem to be behaving as expected.

The behaviour looks like it is not redirecting from the login page, however
I suspect that the problem is that the page is redirecting but the
FormsAuthentication framework is bouncing the page straight back.

I have built a cut-down version of my full implementation and still see the
same behaviour. The cut-down version is:

Web.Config:
------------

....
<authentication mode="Forms">
<forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
timeout="20" />
</authentication>

<authorization>
<deny users="?" />
</authorization>
....

Login.aspx.cs
-----------

....
private void Button1_Click(object sender, System.EventArgs e)
{
WriteTicket("user name", Authenticate("user name", "password") );
}

public static string Authenticate(string EmailAddress, string Password)
{
return AuthenticationTicket(EmailAddress, Password);
}

private static string AuthenticationTicket(string EmailAddress, string
Password)
{
// we'll say that all logins are valid...
return EncryptedTicket(EmailAddress, "Guest" );
}

private static string EncryptedTicket(string emailAddress, string roles)
{
FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
return FormsAuthentication.Encrypt(_ticket);
}

protected virtual void WriteTicket(string userName, string ticket)
{
// create a new cookie and add the authentication ticket:
HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
ticket);
// add this to the outgoing cookie collection:
Response.Cookies.Add(_cookie);
// redirect to the originally requested page:
Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
false );
}

....

I have tried to use the following instead of
FormsAuthentication.GetRedirectUrl(...):
FormsAuthentication.RedirectFromLoginPage(userName, true, "/");

Stepping through the code shows the ticket being created, encrypted and
written to the cookie collection with no problems. I have cookies enabled on
my browser.

As an observation, I have run the MBSA on my machine and I have run IIS
LockDown. Has this disabled something required by the FormsAuthentication?

Hoping someone can help,
Alan Dean

 

[Raterus]

I think you are forgetting to allow the authenticated users...try this:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

--Michael

 

[Alan Dean]

I'm afraid that's not it. I forgot to mention that I have tried that.

Alan

I think you are forgetting to allow the authenticated users...try this:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

--Michael

 

[Raterus]

any reason you are using a period in front of your forms name? ".Auth", that eventually translates into the authentication cookie name, and browsers may not be like that. Also concerning my last suggestion, make sure you do that, as that is the correct way to do it.

 

[Alan Dean]

I've tried it with and without the period (some samples use it, some don't).

Still doesn't work even with both suggestions implemented.

Regards,
Alan

any reason you are using a period in front of your forms name? ".Auth", that
eventually translates into the authentication cookie name, and browsers may
not be like that. Also concerning my last suggestion, make sure you do
that, as that is the correct way to do it.

 

[Alan Dean]

I've figured the reason why this behaviour is happening.

I run ZoneAlarm, and it seems that it blocks cookies from http://localhost
even when set to allow cookies... grrrr....

Thanks to Raterus for offering assistance.

Alan Dean

 

[Mach Runner]

Have you discoeverd how to defeat this problem?
I am having the same problem as you ....

 

[Faassen, B.]

I have the same problem. I dont use ZoneAlarm or whatever. Even a fresh WinXP installation gives the same result. It always returns back to the login page while authentication was succesfull!

I tried several browsers also. Some will be returned back to the login page and others continues to the next requested page. If returned back to the login page most of the times I can request the real url again and I will get it. Thus the authentication was successfull but IIS or ASP.NET or whatever doesnt notice that...


Barry