Redirecting back to Login.aspx after succesfull logon

TheMSsForum.com: The Microsoft Software Forum

We have a problem in our production environment, which doesn't occur in our
test-environment.

We have created two ASP.NET application with a common authorization.

Web-site-company
Login.aspx
<application1>
default.aspx
applicationpage.aspx
<application2>
default.aspx
anotherapplicationpage.aspx

what happens is this.
We send our customers to the site /Web-site-company/application1
IIS redirect the users to /Web-site-company/application1/default.aspx, but
they are not authorized yet,
so they are redirected to Login.aspx. After a succesfull login they are
redirected back to /Web-site-company/application1/default.aspx,
but they still are not authorized, and going back to the login.
But if the customer uses /Web-site-company/application1/applicationpage.aspx
they are authorized and can continue working.

Code from the pages:
/Web-site-company
----- Web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="10"
name="Companyname"
path="/Web-site-company"
slidingExpiration="true" />
</authentication>

<authorization>
<deny users="?" /> <!-- Allow all users -->
</authorization>

-----

----- Login.aspx
HttpCookie cookie = FormsAuthentication.GetAuthCookie( UserField.Text,
false );
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
cookie.Value );
FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
ticket.Version,
ticket.Name,
ticket.IssueDate,
ticket.Expiration,
ticket.IsPersistent,
"Userdata",
ticket.CookiePath);

cookie.Value = FormsAuthentication.Encrypt(newticket);
Context.Response.Cookies.Set(cookie);
Response.Redirect( FormsAuthentication.GetRedirectUrl( newticket.Name,
newticket.IsPersistent ) );
-----
/Web-site-company/application1
----- Web.config
<authentication mode="Forms">
<forms loginUrl="/Web-site-company/Login.aspx"
protection="All"
timeout="10"
name="Companyname"
path="/Web-site-company"
slidingExpiration="true" />
</authentication>

<authorization>
<deny users="?" /> <!-- Deny all users -->
</authorization>
-----

----- Default.aspx
private void Page_Load(object sender, System.EventArgs e)
{
Response.Redirect("applicationpage.aspx", false);
}
-----


Production environment:

<Internet>-----<Firewall>-----<DMZ with web-site-company
server>----<Firewall>-----<company network>

Test-environment:
Test-PC and Webserver on the same network.

We used the same MSI-file to install the /Web-site-company and the
applications on the test- and production-environment.
Top

RE: Redirecting back to Login.aspx after succesfull logon by v-schang

v-schang
Mon May 09 05:59:39 CDT 2005

Hi Cees_alberts,

From your description and the code snippet you provided, here are some of
my understanding:

1. I'm not sure whether you've refered to the following msdn reference:

#Forms Authentication Across Applications
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconformsauthenticatio
nacrossapplications.asp?frame=true

the above reference has described the recommended means for enabling
Formsauthentication across multi applications (under the same primary
domain). By default , Formsauthentication is per-app based and can't be
shared across different applciations (no matter the two applications are
hosted in parent/children virtual dir in IIS or not).

So I suggest that you try using the means described in the msdn reference
to make cross app forms authentication to see whether that can work well.

2. Regardless of the above means , as you mentioned that you've got your
current implementation work well on your test environment, I think we can
first Trace the applications' authentication cookie token. In asp.net page
we can turn on the trace in the page's @Page directivee as :

<@Page Trace="true" ....>

so as to print a Trace matrix in the bottom of that page's output. That
matrix contains the existing cookie under that app's cookie path. I suggest
you turn on the trace on the Login.aspx page to see whether everytime the
request be redirected to it, the auth cookie is missed. As you mentioned,
after the user pass the login but still be redirected to login page when
visit the /Web-site-company/application1/default.aspx.
If the authentication cookie does exist, there may be some other problems.

Also , is the problem only occurs when accessing the default.aspx or only
exist when accessing default.aspx through the app path(default document)
like:
/Web-site-company/application1 ?

If there're any other finding or info, please feel free to post here.
Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



Top

RE: Redirecting back to Login.aspx after succesfull logon by Nico

Nico
Thu May 19 08:17:05 CDT 2005

I have taken over this problem at our company:

I have installed the Login on another system (within our normal network)

1) I have checked the reference and we have created the machinekey but not
with the isolateApllications modifier, but if I try this we get an error.

2) I have enabled the trace (in web.config) and checked for the cookie.

In the trace of the post of the loginform.aspx I have 2 cookies
ASP.NET_SessionId and FloraHolland (the authenticationcookie?)

In the trace of the default.apsx (redirected from loginform)
I have only the ASP.NET_SessionId cookie and I got redirected back to
loginform.aspx

When I try this on the server itself, I get the default.aspx.
In the trace there are 3 cookies. The ASP.NET_SessionId and two times the
FloraHolland cookies (?!!!?) in the cookie collection. In the Headers
Collection I only see this cookie once.


Top

RE: Redirecting back to Login.aspx after succesfull logon by v-schang

v-schang
Fri May 20 05:19:20 CDT 2005

Hi Nico,

No, you should not set the "isolateApllication" flag since it will prevent
those applications from sharing their authentication cookie.

Also, as for the "FloraHolland" cookie, you mentioned, is the
"FloraHolland" your web applications's cookiename?(set in the forms
element).

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Top

RE: Redirecting back to Login.aspx after succesfull logon by NicoAlsemgeest

NicoAlsemgeest
Fri May 20 05:31:05 CDT 2005

"FloraHolland" is our web applications's cookiename.

Nico Alsemgeest

Top

RE: Redirecting back to Login.aspx after succesfull logon by v-schang

v-schang
Mon May 23 05:31:36 CDT 2005

OK. I'm still thinking that the different apps(parent and sub ) are using
the different cookie which cause the problem. Is the problem a page
specific one or a common one? From the orginal poster's description, it's a
particular page based problem. If it's a common problem when navigate
between the pages in those applications, we may need to check the
design-structure as I mentioned in the first reply.
Please feel free to let me know if there'r any other finding.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Top

RE: Redirecting back to Login.aspx after succesfull logon by NicoAlsemgeest

NicoAlsemgeest
Tue May 31 03:41:02 CDT 2005

Steven,

I didn't mention this, but I have only installed the login page and his
default.aspx. on the second machine. And in this situation I also get the
problem, so I have just one application.

From the first tests I have done, I think it's a problem with the
combination of using the default page in IIS and redirecting from the
login-form.

We have tried the next steps:
Using the IIS default-page = default.aspx (with the redirection to
applicationpage.aspx in C#). We have the problem.

Using the IIS default-page = applicationpage.aspx. We still have the problem.

Not using the default page, but the url of applicationpage.aspx, it works.

Thanks,
Nico.

Top

RE: Redirecting back to Login.aspx after succesfull logon by v-schang

v-schang
Wed Jun 01 03:33:14 CDT 2005

Thanks for your followup Nico,

As you said ,the problem is caused by
===============
combination of using the default page in IIS and redirecting from the
login-form.
===============

are you also testing through a single ASP.NET web appliation which use
FormsAuthentication? Based on my local test(a single asp.net app without
parent or other same level apps) , when use the default page url

"http://servernname/appdir"

to visit the default page and go through the login steps, I can still
correctly vist the default page. So I'm thinking the problem is stilling
something related to the Multi - Applcation structure.

Is there anything different from your test and mine?

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Top

RE: Redirecting back to Login.aspx after succesfull logon by NicoAlsemgeest

NicoAlsemgeest
Wed Jun 01 04:31:37 CDT 2005

>
> Is there anything different from your test and mine?
>

I think not, I only installed the login application, so it should act as a
single asp.net app. But it doesn't work (in our production environment). But
like I said, it works in development and test-environment.

Nico.
Top

RE: Redirecting back to Login.aspx after succesfull logon by v-schang

v-schang
Thu Jun 02 05:38:40 CDT 2005

OK. I'll try some furhter testing on myside (use the structure as
mentioned in the start)


Web-site-company
Login.aspx
<application1>
default.aspx
applicationpage.aspx
<application2&