Java applet + authentication failure in ASP.NET

My problem is that I have a .NET application with a Java applet embedded in it. The Java applet sends an HTTP request to the server for a file like downloadfile.aspx. I believe, but cannot confirm, that the applet is including (at least) two cookies in the HTTP request: the ASPNET_SessionID and a "Login" cookie that matches the application's forms authentication.

in web.config:
<authentication mode="Forms">
      <forms name="Login" loginUrl="Interactive/bounceToLogin.html" timeout="30"/>

The problem is that some -- a small percentage of my users -- are using this applet to get a .NET web form like downloadfile.aspx, but the server response is the bounceToLogin.html page defined in the <forms> tag instead. Does anybody have some ideas how to ensure that the connection is authenticated?

P.S. I thought I had solved over here: but it's popped up again.
// in the Java applet
Url u = new URL(myurl);
HttpURLConnection conn = (HttpURLConnection)u.openConnection();
conn.setRequestProperty("Cookie", "ASP.NET_SessionId=" + sessionID);
conn.setRequestProperty("Cookie", "Login=" + loginID);
// sessionID and loginID are defined in download.aspx, the page that
// contains the applet.
// in download.aspx:
sessionString = HttpContext.Current.Session.SessionID
// and then
<applet ...><PARAM NAME="sessionID" VALUE="<%# sessionString %>"></applet>
// also in download.aspx:
<param name="loginID" value="<%# Request.Cookies["Login"].Value %>">
sessionID =  and passed as to the applet as a parameter

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We've had similar issues where some users use www. and some leave that bit out however if you have the link to your applet (form in our case) hard coded to either www. of not you can make the cookie invalid (i.e. it's effectively crossing domains) - this was an issue around IE 5.5 time (couple of years ago).
tjgquickenAuthor Commented:
I tried our applet with both the www. and without, and that didn't make a difference.

However, we have our applet running on two different domains, and it works on one domain but not on the other one. Looking at the Java console from both domains and comparing them, I noticed these two different lines.

On the working domain:
network: Connecting with cookie "ASP.NET_SessionId=[sessionId]; Login=[long hex string]; roles=[long hex string]

On the non-working domain, the "Login" part of that cookie is missing:
network: Connecting with cookie "ASP.NET_SessionId=[sessionId]; roles=[long hex string]

The Java code is the same on both domains, so I'm not sure why the applet on one domain is sending the Login cookie and the applet on the other domain isn't.
tjgquickenAuthor Commented:
I also noticed that if I add an extra cookie in the Java code:

conn.setRequestProperty("Cookie", "test=1")

there's no change in the output, i.e. it's still

network: Connecting with cookie "ASP.NET_SessionId=[sessionId]; roles=[long hex string]

with no Login cookie or test cookie.
tjgquickenAuthor Commented:
Stupid, inefficient solution: essentially re-create the cookie on the page with the applet.
i.e. Response.Cookies.Add(new HttpCookie("Login", Cookies["Login"]))

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.