Login / auth cookie problem after migrating to .NET 2.0

[jazzdrums]

Hello,

we have migrated our website from .NET 1.1 to .NET 2.0.
After this, some of our users are unable to log-on our site, while for
the majority of them there's no problem.

We're using a standard procedure to login (see below).

The Request.Cookies[FormsAuthentication.FormsCookieName] returns NULL,
after their login attempt, on subsequent pages. We're setting other
cookies, for instance the cookies of google analytics, with no
problem.The're no problem too with the ASP.NET_SessionId cookie.

The only way for them to be able to logon, is to manually delete their
cookies.

Here is the code, we're using:

iduser = Encryption.Encrypt(userid.ToString());
FormsAuthentication.SetAuthCookie(iduser, false);
userdata = "XXX";

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // version
iduser, // user name
DateTime.Now, // issue time
DateTime.Now.AddHours(72), // expires
persistent, // persistent
userdata // user data
);
FormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(ticket));
HttpContext.Current.Response.Cookies.Add(FormsCookie);

Then we do a Response. Redirect.

Does anybody have an idea of what we can do ? It's a real problem for
us.
Thanks in advance

 

[Kevin Spencer]

I'm not sure how you would do this in .Net 1.1, but here is the
documentation and some samples for doing it in .Net 2.0. Notice that the
FormsAuthentication.SetAuthCookie method sets a Cookie, and that the
FormsAuthenticationTicket class example does not use
FormsAuthentication.SetAuthCookie to create a Cookie:

http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx
http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication.setauthcookie.aspx

--
HTH,

Kevin Spencer
Microsoft MVP

DSI PrintManager, Miradyne Component Libraries:
http://www.miradyne.net

 

[jazzdrums]

Hi,

thanks for the reply. Yes we're using .NET 2.0 already.

Anyway, I've found the solution but cannot really explain it and if
you have an idea about that, I would be really interested.

I realized that 2 cookies were actually created: one associated with
"mydomain.com" and one with "www.mydomain.com".

The problem was solved by setting the cookie domain to "mydomain.com".
It doesn't work when I set it to "www.mydomain.com" and I don't know
why.

Regarding the IIS configuraiton, the websites headers doesn't contain
"mydomain.com". We have a second website defined that redirect
"mydomain.com" to "www.mydomain.com" for the people just arriving on
our site using "mydomain.com".

What I don't understand is is why did the .NET framework create a
"mydomain.com" cookie by default (i.e. when no domain was set), even
if I came to the website with the "www.mydomain.com" URL ?

Then the problem occured when people logged in on the previous version
of the site (.NET 1.1) with an old "mydomain.com" cookie : the new
version of the site was unable to read this cookie or overwrite it.
And so the user was unable to logon. When we set the domain property
of the cookie to "mydomain.com", it works, the cookie can then be
overrided and everything works fine. Note that it wasn't systematics:
only around 20 to 30% of our users encountered it.

Thanks again for your reply