Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Serious Bug: FormsAuthentication over Intranet MS Listen Up!!!!!

Reply
Thread Tools

Serious Bug: FormsAuthentication over Intranet MS Listen Up!!!!!

 
 
Mark Olbert
Guest
Posts: n/a
 
      01-13-2004
I have been wrestling with FormsAuthentication working on some, but not all, of my development
websites. I think I've determined what is causing the problem, but I can't figure out the
workaround/solution to use in the VS.NET environment.

Background: I recently changed my development environment so that, instead of having access to only
one website at a time on my WinXP development machine I now "host" the sites on a backend Win2K
server. This is all on an intranet; no traversal of the public internet takes place.

To differentiate among the different sites I use multihoming, with each site getting a unique IP
address in the 192.168.1.xxx range. I should point out that the same problem whose "solution" I
describe here also occurred when I was >>not<< using multihoming, but different host header names
instead.

After making that switch, and transitioning the development sites to the Win2K server, I found that
certain Forms Authentication setups that had been running well for months suddenly stopped working.

I confirmed this problem in a stripped-down test application that has only two forms, one a login
form and one an empty form in a protected subdirectory of the site. No real authentication is done;
clicking on the Submit button of the login from simply calls:

FormsAuthentication.RedirectFromLoginPage("user1", true);

Note that this call sets up, or should set up, a persistent cookie.

Only it doesn't. No cookie at all is created, and so the user gets continually bounced back to the
login form.

After researching this for hours on google groups and msdn I came across an old MSDN article
entitled Internet Explorer Drops Site Server Cookie for Intranet Site IP Address (279186). The
article, which dates back to 2002, talks about a problem that can be cured by using the numeric IP
address for an intranet site, rather than its human-readable name.

In desperation I tried (outside of VS.NET) accessing the site with a numeric IP...and the cookie was
created! Authentication succeeded, and I was able to see the protected page.

Accessing the site using the human readable name continued to fail outside of VS.NET, as it had
inside of the development environment.

This problem seems to me to be very serious, in that how the heck can a developer "host" multiple
projects on an intranet that use FormsAuthentication if some of them succeed and some of them
fail???

I anxiously await feedback from Microsoft on how to fix this stupid problem.

- Mark
 
Reply With Quote
 
 
 
 
Natty Gur
Guest
Posts: n/a
 
      01-13-2004
Hi,

Itís far from being a solution but i just wonder way are you using
multihoming in intranet solution. I use to host about 60 application on
single site (single IP) that use
FormsAuthentication without any problems.

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
 
 
 
Mark Olbert
Guest
Posts: n/a
 
      01-13-2004
Ignorance?

Actually, I'm open to suggestion as to how best to handle multiple development sites simultaneously.
I'm currently trying multihoming, but I've also tried the host header approach (I encountered the
same problem, BTW).

What do you do/recommend?

- Mark
 
Reply With Quote
 
Shiv Kumar
Guest
Posts: n/a
 
      01-13-2004
Mark,

This is not a bug actually. As per the W3C, when searching the cookie list
for valid cookies, a comparison of the domain attributes of the cookie is
made with the Internet domain name of the host from which the URL will be
fetched. If there is a tail match, then the cookie will go through path
matching to see if it should be sent. "Tail matching" means that domain
attribute is matched against the tail of the fully qualified domain name of
the host. A domain attribute of "matlus.com" would match host names
"delphi.matlus.com" as well as "delphi.isapi.matlus.com".
Only hosts within the specified domain can set a cookie for a domain and
domains must have at least two (2) or three (3) periods in them to prevent
domains of the form: ".com", ".edu", and "va.us". Any domain that fails
within one of the seven special top-level domains listed below only require
two periods. Any other domain requires at least three. The seven special top
level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT". The
default value of domain is the host name of the server, which generated the
cookie response.

--
Shiv R. Kumar
http://www.matlus.com


 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      01-13-2004
Hi Mark,


I'm sorry for keeping you waiting on the former post. I'm now assisting you
on it. Please feel free to followup in the former thread. As for the
question you mentioned in this one:
"how best to handle multiple development sites simultaneously"

In VS.NET there is a "CopyProject" function for you to copy an ASP.NET web
application from one place to another. You can try it via select the
"Project-->Copy Project..." menu. In the popup setting dialog, speciy a
destination position(using web url). Then, the VS.NET will help you to copy
the current web project to the specified place. Please try it out to see
whether it helps.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Natty Gur
Guest
Posts: n/a
 
      01-13-2004
Hi,

I donít see any need to use multiple sites on the same machine in
intranet situation. Usually this technique used by ISP that needs to
serve different sites with different IP's. This is certainly not the
case while developing intranet applications. you can host all your
applications in single site.

There are also situations where single application demand heavy network
traffic and to minimize that application impact on other application you
might set it to different IP with different network card.

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Shiv Kumar
Guest
Posts: n/a
 
      01-13-2004
This is certainly not the
> case while developing intranet applications. you can host all your
> applications in single site.


Provided you don't use global.asax in any form and your web.config file has
no special settings required by any of the applications.

--
Shiv R. Kumar
http://www.matlus.com


 
Reply With Quote
 
Natty Gur
Guest
Posts: n/a
 
      01-13-2004
Why ?
Every application run in its own application domain and got its own
global.asax and web.config .

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Mark Olbert
Guest
Posts: n/a
 
      01-13-2004
Natty,

I've found that if I don't treat separate development projects (which will ultimately end up as
different websites, for different clients) as separate sites I run into problems like not being able
to resolve local addresses through MapPath() properly.

You may have misunderstood what I was getting at when I said "intranet". These projects will end up
running as separate, standalone websites once they are deployed. They don't all belong to the same
client.

I'm still interested in hearing what you do to develop separate projects for separate clients.

- Mark
 
Reply With Quote
 
Mark Olbert
Guest
Posts: n/a
 
      01-13-2004
Shiv,

I'm not sure I quite follow your argument, but if I'm understanding you, it still doesn't explain
why the site delivers the cookie when it is accessed as http://192.168.1.150 and fails to deliver
the cookie when it is accessed as http:://devproject1.arcabama.com, even though the DNS maps
192.168.1.150 to devproject1.arcabama.com. That's what my research shows as happening.

- Mark
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VOIP over VPN over TCP over WAP over 3G Theo Markettos UK VOIP 2 02-14-2008 03:27 PM
FormsAuthentication and Local Intranet Zone C. Moya ASP .Net 2 04-10-2007 12:10 AM
Bad ServerSocket ! Listen! Listen! Listen! Donny Java 13 08-05-2004 06:51 PM
accessing files over intranet Miro ASP .Net Security 3 12-08-2003 07:06 AM
Re: a serious question for a non-serious cause... henry DVD Video 1 11-08-2003 04:38 PM



Advertisments