Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication - Sudden Redirect Failure on Login

Reply
Thread Tools

Forms Authentication - Sudden Redirect Failure on Login

 
 
Stephen Davies
Guest
Posts: n/a
 
      07-05-2006
I have a strange problem, for months now we have had a dotnet 2.0 application
(previously 1.1 but now upgraded) running on a 2003 server without issue. A
recent small change was made to the sites underlying code and tested on the
development platform of Windows XP, migrated to the QA platform (a Win 2003
server) and finally migrated to production.

Just when you think you are following best practice procedures and fully
testing in each environment the production system fails the login (forms
authentication) for everyone. Now the change was to the binary alone so
that's all that was replaced (I am using the VS2005 Web Deployment Project
tool), so reverting the single old binary in the bin folder brought back the
old login functionality.

The code was reviewed, nothing in the login process was altered, debugging
was added to show that the user was actually authenticated and retrieval of
user data from the login further confirmed that. Its just when the redirect
happens (confirmed correct with debug.writeline of GetRedirectUrl) that it
seems forms authentication intercepts again and redisplays the login page (as
if via a redirect, is not a postback). I have installed fiddler and it looks
like the authentication cookie is correctly placed, I have even tried setting
the authentication as cookieless, still the problem persists.

I have also moved the code binary (and site) to another win2003 server box,
again all works fine. Move the binary back to the production server and the
login fails on redirect again!

I can only assume there is something wrong with the .Net framework on the
production server so did the following:
Shut down IIS,
delete the cache from
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files (using
shift delete, and empty the recycle bin to be sure)
Restart IIS and observe the recreation of the cache.

Still the problem persists, I am lost and at wits end! I have changes that
need to go into production and short of rebuilding the machine (I know that
would fix it) I have run out of ideas.

Does anyone have some fresh ideas or experienced this before themselves

--
Regards
Stephen Davies
 
Reply With Quote
 
 
 
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      07-06-2006
Hello Stephen,

I suggest you may create a very simple form authentication web application
and deply to the production server, to test if it is a IIS or .NET
framework issue. Also, did the problem occur you update a new version of
the binary assembly? Is the web.config file changed before the problem
happened?

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
 
Stephen Davies
Guest
Posts: n/a
 
      07-06-2006
Thanks for the response Luke

"Luke Zhang [MSFT]" wrote:

> I suggest you may create a very simple form authentication web application
> and deply to the production server, to test if it is a IIS or .NET
> framework issue.


How does this point to an IIS or .Net issue?

I have the application deployed in a Production and Test site on the same
IIS Server (different IP addresses & domain names) with the problem
exhibiting the same symptoms on both sites. Move the same code (binary &
aspx) to any number of other Win2003, Win2K and WinXp machines and the code
works perfectly (as it has done for more that 12 months).

>Also, did the problem occur you update a new version of
> the binary assembly?


Yes, the previous binary (on the production machine) still works (for some
odd reason)

>Is the web.config file changed before the problem happened?


Nope.

>
> Regards,
>
> Luke Zhang
> Microsoft Online Community Lead
>
> ==================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================
>
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      07-07-2006
Hello,

Thank you for the update. Have you tried compile the project on the
production server? Also, I saw you work with VS2005 and your original
project is with .NET framework 1.1. Is it possible there is problem on .NET
framework version? You may check the site's property in IIS manager, and
select the ASP.NET tab, the .NET framework version registered is there.

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      07-07-2006
"Luke Zhang [MSFT]" wrote:

> Hello,
>
> Thank you for the update. Have you tried compile the project on the
> production server?


This is not an option as the machine is a dedicated server (lots of red tape
to get through). Shouldn't make any difference.

I think you are missing the point here. The application has worked for
nearly 12 months on this machine under the dotnet 2.0 framework, I can copy
the site to other machines (that are dotnet 2.0) and the login process
redirect works perfectly (win2k, win2003 and XP). I am sure its something in
the framework that needs tending to, I just don't know what.

>Also, I saw you work with VS2005 and your original
> project is with .NET framework 1.1.


It was upgraded to 2.0

>Is it possible there is problem on .NET framework version?


No, it is 2.0, it wouldn't work at all compiled with vs2005 if the framework
was 1.1

>You may check the site's property in IIS manager, and
> select the ASP.NET tab, the .NET framework version registered is there.
>
> Regards,
>
> Luke Zhang
> Microsoft Online Community Lead
>
> ==================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================
>
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      07-10-2006
Hello Stephen,

Could you please show us the code you used for form authentication, for
example, how did you call RedirectFromLoginPage method in your code? Is
CookiePath specified in the method?

Thanks,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      07-17-2006
Remember this authentication method has been working for 6 months or more
under .net 2.0 and at least 12 months before that under .net 1.1.

The executable currently running on the box is still working!!! Its just
when I recompile this one it fails. Move the executable and pages to another
machines its fine, move it back to this one and it fails. This is what makes
me think its a .net thing not a code this but here it is anyway:

DateTime dtTimeout;
if (bPersistant)
dtTimeout = DateTime.Now.AddMonths(6);
else
dtTimeout = DateTime.Now.AddMinutes(60);

FormsAuthentication.Initialize();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
strUser.ToUpper(), // Username associated with ticket
DateTime.Now, // Date/time issued
dtTimeout, // Date/time to expire
bPersistant, // "true" for a persistent user cookie
role, // User-data, in this case the roles
FormsAuthentication.FormsCookiePath); // Path cookie valid for

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);

The last Debug.WriteLine has the correct redirectURL in it, it is just
intercepted and front ended with the login page once again with the requested
redirect URL (target secured page) in the ReturnUrl querystring variable.
--
Regards
Stephen Davies


"Luke Zhang [MSFT]" wrote:

> Hello Stephen,
>
> Could you please show us the code you used for form authentication, for
> example, how did you call RedirectFromLoginPage method in your code? Is
> CookiePath specified in the method?
>
> Thanks,
>
> Luke Zhang
> Microsoft Online Community Lead
>
> ==================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================
>
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      07-17-2006
Didn't have the methods header on the last post so here is it complete:

/// <summary>
/// The central core for processing the forms authentication
/// This has been located in the common PageBase to allow
/// external function to call it and automatically log the
/// user into the system.
/// </summary>
/// <param name="redirectURL"></param>
/// <param name="role"></param>
/// <param name="strUser"></param>
protected void FormsAuthCore(string redirectURL, string role, string
strUser, bool bPersistant)
{
DateTime dtTimeout;
if (bPersistant)
dtTimeout = DateTime.Now.AddMonths(6);
else
dtTimeout = DateTime.Now.AddMinutes(60);

FormsAuthentication.Initialize();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
strUser.ToUpper(), // Username associated with ticket
DateTime.Now, // Date/time issued
dtTimeout, // Date/time to expire
bPersistant, // "true" for a persistent user cookie
role, // User-data, in this case the roles
FormsAuthentication.FormsCookiePath); // Path cookie valid for

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

// Don't call FormsAuthentication.RedirectFromLoginPage since it could
// replace the authentication ticket (cookie) we just added
// string fred = FormsAuthentication.GetRedirectUrl(strUser, false);
// Debug.WriteLine("FormsAuthCore GetRedirectURL (not used) ->" + fred);

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);
}

--
Regards
Stephen Davies


"Luke Zhang [MSFT]" wrote:

> Hello Stephen,
>
> Could you please show us the code you used for form authentication, for
> example, how did you call RedirectFromLoginPage method in your code? Is
> CookiePath specified in the method?
>
> Thanks,
>
> Luke Zhang
> Microsoft Online Community Lead
>
> ==================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================
>
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      07-18-2006
Hello Stephen,

Thank you for the code. After review the code, I suggest you may check
following issues:

1. Since you have check the redirectURL, and confirm it is correct. You may
also check these values: FormsCookiePath, DateTime.Now and dtTimeout. ( I
understand the system has been working for months, and these values are
almost no problem. But it is still worthy of a try to ensure we have check
everything there).
2. Temporarily use FormsAuthentication.RedirectFromLoginPage instead
setting cookies by code. (Just ensure there is no problem on the cookies ).

Please let me the result of above tests. I am looking forward to hear from
you.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.



 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      07-19-2006
FormCookiePath is "/"

dtTimeout set to one hour from the login time (in the case of non persistent)

DateTime.Now is correct

Removing the code

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

if (redirectURL == null || redirectURL == "noRedirect") return;

// Don't call FormsAuthentication.RedirectFromLoginPage since it could
// replace the authentication ticket (cookie) we just added
// string fred = FormsAuthentication.GetRedirectUrl(strUser, false);
// Debug.WriteLine("FormsAuthCore GetRedirectURL (not used) ->" + fred);

Debug.WriteLine("FormsAuthCore set cookie lastlogin->" + strUser.ToUpper());
SetCookie("lastlogin", strUser.ToUpper());
Debug.WriteLine("FormsAuthCore - Redirect to ->" + redirectURL);
Response.Redirect(redirectURL);

----------------------------------------------------------------
and replacing with
----------------------------------------------------------------

FormsAuthentication.RedirectFromLoginPage(strUser. ToUpper(), bPersistant);
return;

Yields the problem on ALL platforms, the redirect does not happen. Switch
back to the original code and it functions correctly (with the redirect to
the desired secured page), interesting?

The redirect still gets intercepted by the login authorisation on the
production platform in either scenario.

Regards
Stephen Davies
--
Regards
Stephen Davies


"Luke Zhang [MSFT]" wrote:

> Hello Stephen,
>
> Thank you for the code. After review the code, I suggest you may check
> following issues:
>
> 1. Since you have check the redirectURL, and confirm it is correct. You may
> also check these values: FormsCookiePath, DateTime.Now and dtTimeout. ( I
> understand the system has been working for months, and these values are
> almost no problem. But it is still worthy of a try to ensure we have check
> everything there).
> 2. Temporarily use FormsAuthentication.RedirectFromLoginPage instead
> setting cookies by code. (Just ensure there is no problem on the cookies ).
>
> Please let me the result of above tests. I am looking forward to hear from
> you.
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirect To Login Page - Forms Authentication Dave ASP .Net 4 07-08-2009 09:56 PM
Login in HTTPS and redirect to HTTP using Forms Authentication Alfredo Barrientos ASP .Net 0 08-31-2005 09:31 PM
Forms Authentication won't redirect to login page Max Figueredo via .NET 247 ASP .Net Security 0 09-22-2004 07:45 PM
Strange problem with Forms authentication: After successfull login, login page is still displayed Pascal Blanchard ASP .Net Security 0 08-17-2004 06:26 PM
Forms Authentication redirect from login refreshes in VS,NET Max ASP .Net 0 01-06-2004 09:07 PM



Advertisments