?
Solved

ASP.NET Forms Authentication - Subsequent logins redirected to wrong page

Posted on 2008-06-13
15
Medium Priority
?
1,491 Views
Last Modified: 2010-04-21
I have an ASP.NET 3.5 application that uses Forms Authentication.  When first launching a browser, everything works correctly (login, access protected pages, logout).

After SignOut(), no user can use the app without closing the browser (tested IE and Safari).  Specifically, after the next user logs in, the response is redirected to the app's public home page and not to the private page.  

   - I've verified that the auth cookie is no longer present.
   - The code path is the same in both cases
   - I do use a Login control but I manually control the login process (auth, ticket, and redirect)
   - At login, the Session ID is changed
   - This behavior exists regardless of whether I am using a developer server or a production server

Everything appears to be correct but the user is always redirected to the app's home page.  (I have a default.aspx file that is not used; it performs a redirect on load but this code is never called)

I use the FormsAuthentication SignOut() routine, I Abandon() the session, I've verified that my cookies and the auth cookie are no longer present, and I've checked the Response redirect URL -  What else controls the final page after login?  And, since the session is new, what else does the server manage that could interfere with authenticating a second user?
0
Comment
Question by:RobMinnis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 21781240
Is there a ReturnURL set in the Querystring on the first request that isn't there on the second?  When a default URL isn't set, asp.net will redirect you to default.aspx in the root directory.

You might want to try setting defaultUrl in web.config (same place you set the logonUrl) and see what happens.
0
 

Author Comment

by:RobMinnis
ID: 21781341
The DefaultURL is the same in both cases and I override the default with an explicit redirect.  As mentioned, the default.aspx file is present but is not accessed.
0
 
LVL 33

Expert Comment

by:raterus
ID: 21781426
Can you post your web.config, specifically the <forms section, and the code that handles your Login?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:RobMinnis
ID: 21781750
Login ----------------------------------------------------------------------------------------------------------
System.Web.Security.FormsAuthentication.SetAuthCookie(name, li_Login.RememberMeSet);
Response.Redirect("~/General/Home.aspx", false);

Logout ----------------------------------------------------------------------------------------
Session.Abandon();
Session.Clear();
Session.Contents.RemoveAll();
System.Web.Security.FormsAuthentication.SignOut();
Response.Redirect("~/Public/Main.aspx"), true);

Web Config ------------------------------------------------------------------------------
<?xml version="1.0"?>
<configuration>
      <configSections>
            <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
                  <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
                        <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
                        <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
                              <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
                              <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
                              <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
                              <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/></sectionGroup></sectionGroup></sectionGroup></configSections><appSettings/>
      <connectionStrings/>
      <system.web>
            <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
            <compilation debug="true">
                  <assemblies>
                        <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                        <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                        <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                        <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/></assemblies></compilation>
            <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
    <globalization
      culture="auto:en-US"
      uiCulture="auto:en-US"/>
            <authentication mode="Forms">
                  <forms loginUrl="Special/login.aspx" name=".EAGLEEYES" requireSSL="false" defaultUrl="General/Home.aspx" cookieless="AutoDetect" protection="All"/>
            </authentication>
            <authorization>
                  <allow users="?"/>
            </authorization>
            <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
            <pages>
                  <controls>
                        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                        <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></controls></pages>
            <httpHandlers>
                  <remove verb="*" path="*.asmx"/>
                  <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                  <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                  <add verb="GET,HEAD" path="ScriptResource.axd" validate="false" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></httpHandlers>
            <httpModules>
                  <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></httpModules></system.web>
      <location path="General">
            <system.web>
                  <authorization>
                        <deny users="?"/>
                  </authorization>
            </system.web>
      </location>
      <system.codedom>
                  <compilers>
                        <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">
                              <providerOption name="CompilerVersion" value="v3.5"/>
                              <providerOption name="WarnAsError" value="false"/></compiler></compilers></system.codedom>
      <system.webServer>
                  <validation validateIntegratedModeConfiguration="false"/>
            <modules>
                  <remove name="ScriptModule"/>
                  <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></modules>
            <handlers>
                  <remove name="WebServiceHandlerFactory-Integrated"/>
                  <remove name="ScriptHandlerFactory"/>
                  <remove name="ScriptHandlerFactoryAppServices"/>
                  <remove name="ScriptResource"/>
                  <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                  <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                  <add name="ScriptResource" verb="GET,HEAD" path="ScriptResource.axd" preCondition="integratedMode" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></handlers></system.webServer>
      <runtime>
            <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
                  <dependentAssembly>
                        <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
                        <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/></dependentAssembly>
                  <dependentAssembly>
                        <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>
                        <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/></dependentAssembly></assemblyBinding></runtime></configuration>

0
 
LVL 33

Expert Comment

by:raterus
ID: 21781818
Interesting authorization section, typically I see this,

            <authorization>
                  <deny users="?" />
                  <allow users="*"/>
            </authorization>

This denies unauthenticated users, and allows anyone left.

My guess is the Login control is ultimately your problem, since it tries to do a lot of things automatically for you.  Have you tried to use a completely manual process?
0
 

Author Comment

by:RobMinnis
ID: 21781964
Actually, the login control only handles data collection - the authenticate event is used if the Login button is clicked but, even in that case, it calls the same authentication code (the only difference is that the event's authenticate flag is set).  Regardless of the path, though, I get the same behavior.

The confusion on the auth section may be that there are two different ones.  The first is for the publicly accessible areas and the second is to protected the folder structure that contains the protected files.
0
 
LVL 33

Expert Comment

by:raterus
ID: 21782014
And you're sure the Authenticate method is being called on the second login attempt?  Response.Redirect is a pretty solid method, and once you call it, there isn't a way to undo it, or for futher code to stop it.
0
 

Author Comment

by:RobMinnis
ID: 21782122
Everything goes through my Authenticate() and, yes, I have verified that it is always called.  My guess is that either the authentication is not being recorded somewhere in the internals of FormsAuthentication, that there is some mechanism that is overriding the Redirect (my code terminates after this call so I'm not directly overiding it and, based on the call stack, the same chain of events occurs up to that point in both cases), or that some state is inconsistent after the logout.
0
 
LVL 33

Accepted Solution

by:
raterus earned 2000 total points
ID: 21782199
This site isn't publically accessible that you could give a test username/password is there?

My next course of action is to trace the HTTP Headers of the page and figure out exactly how your browser come to this page, and what page is sending you there.  I can look at it in 1 minute and have what I need, but I can talk you through it as well.

I use these programs to trace,

LiveHTTPHeaders in Firefox
http://livehttpheaders.mozdev.org/

and

IEHttpHeaders in IE
http://www.blunck.se/iehttpheaders/iehttpheaders.html

Download whichever is most convenient, install, and get your page to the login page.  Start the trace, login like you normally would, and paste the results.  Repeat it again after you've logged off and are at the login page again.
0
 

Author Comment

by:RobMinnis
ID: 21782599
After tracing the headers and not seeing anything unusual, I went back at looked at the entire process more closely and finally found the cause of the problem.  There are a set of cookies still being passed around that I thought were deleted.  These cookies direct the app to logout the user (go figure).

So, the question is now "how do I get rid of these dang cookies once I don't need them?"  I thought that Response.Cookies.RemoveAll() would do that but these, in effect, originate at the client (i.e. passed back) and so they are not in the Response list.  I also tried removing them from the Request assuming that this would prevent them from being populated back into the Response but that didn't work.

I can set a short expiration and work around the problem but I'd prefer not to play Russian Roulette with timing.  What is the correct way to get rid of cookies?
0
 
LVL 33

Expert Comment

by:raterus
ID: 21782678
Use javascript, I've written javascript in a many logout pages to actually delete the cookies, because I noticed Response.Cookies.RemoveAll didn't work at all.
0
 

Author Comment

by:RobMinnis
ID: 21782833
Would you happen to have JS handy to delete them?
0
 
LVL 33

Expert Comment

by:raterus
ID: 21782877
It's as simple as setting the expiration to a past date.  This immediately deletes it.

function del_cookie(name) {
document.cookie = name +
'=; expires=Thu, 01-Jan-70 00:00:01 GMT;';
}
0
 

Author Closing Comment

by:RobMinnis
ID: 31467004
Thanks for the help.
0
 

Author Comment

by:RobMinnis
ID: 21783490
Just to follow-up:  The final solution was not to set the expiration via javascript.  Using this technique in IE, the JS actually created a second cookie rather than setting the expiration on the first.  In Safari, it did nothing at all.

The final solution was to set the expiration on the server *after* processing the cookie (i.e. the final segment of the roundtrip from server->client->server) and then to manually add the cookie into the Response object.
   - if you set the expiration at the first step, it will not work if the client's and server's clocks are not synced.  I also added a server-side check to see if the cookie has expired incase the client's clock is out of sync enough that the cookie doesn't expire after another round trip.
   - if you do not manually add the cookie into the Response, the changes to the expiration will not propogate
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question