Forms Authentication Problem

  • Thread starter Thread starter ElmoWatson
  • Start date Start date
E

ElmoWatson

I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.

I'm trying to get Forms Authentication working.....I can get any requested
page to automatically go to the Login.aspx page, AND, the ReturnURL
querystring is correct in the address bar, but no matter what, I can't get
it, once the user is authenticated, to redirect to the new page. It ALWAYS
refreshes the Login.aspx page!

My database has all the users - - I query the database and validate the user
there. This part works - - I've totally verified this.
Then - - I've got this:
if ValidUser="True" then
FormsAuthentication.RedirectFromLoginPage(txtUID.text, True) '
<-------this is the part that DOES NOT work at all - - it never redirects
the page

The machine.config points to the correct path for the WebUIValidation.js
file....I'm using MSIE, as are all the other users who are going to be
hitting this app. - - Scripting is allowed.

in the Web.Config, I've got:
<authentication mode="Forms">
<forms name=".MyApp"
loginUrl="login.aspx"
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
And I'm importing the Web.Security Namespace on each page.
Does Each subsequent page need anything else in it to make this work?
Please help - - I've been working on this for over a week now! What am I
missing?
 
Thanks - I checked it out - - all the code listings links don't go to the
code at all....nice article, but it doesn't tell me where my problem is.
BTW - If I remove the deny users part - - - - it bypasses the login.aspx
file altogether. I at least had that working
 
Elmo,

It may be redirecting to the page, then redirecting right back to the login
page when it's found that the user isn't authenticated.

The question will be "why isn't the user authenticated when I think he
should be?" Answers I've seen include:

1) Because the cookie is set up wrong and Forms Authentication never sees
it. Check on the domain, path and expiration of the cookie. In particular,
make sure the cookie domain matches your domain. localhost has a blank
domain, BTW.
2) Because the login page and the page you're redirecting to have different
values in the <machineKey> entry in machine.config or web.config.
3) The user _is_ authenticated, but not authorized. Maybe URL authorization
has a typo in a role name, or roles aren't being applied in global.asax.

It sounds like it's time for you to look one layer deeper. In particular,
try turning on tracing in web.config:

<trace enabled="true" requestLimit="100" pageOutput="false"
traceMode="SortByTime" localOnly="true" />

Then reproduce the problem and navigate to
http://localhost/yourSite/trace.axd. It may be instructive.
 
Hmmm,

That website must be having some pretty big link problems! I had bookmarked
it a long time ago. It looks like all their articles file links aren't
working.

Here's a line of code from a different article that I think pertains to you:

If blnIsAuthenticated Then
FormsAuthentication.RedirectFromLoginPage(strUser,
chkPersistLogin.Checked)
End If

This article is using an xml file instead of a database to store usernames
and passwords but the concept is the same. Here's the link:
http://www.15seconds.com/issue/020305.htm

Sincerecly,


--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
 
Actually - I have had Tracing on & off several times - -
I see that the cookie is set - - but the weird thing is how it's showing - -
I went to the temporary internet files directory to watch when the cookie
shows up.

I run a page on the site in IE, get referred to the login page, login, and,
as usual, it does NOT redirect me to the original page....
Keep in mind, still no cookie in the directory -- then I close IE - - -
still no cookie.
THEN - when I start IE AGAIN, only going to its default page - - the cookie
shows up in the directory - - I don't get how this behavior works, at all.

Still - the same login scenario happens - - no redirect.

You said:applied in global.asax.

I don't have any roles in play here - this scenario, at this point is
supposed to check against a database table for authorization - - if
there - - validuser is true, else it's false
if it's true, I have it set like this:
FormsAuthentication.RedirectFromLoginPage(txtUID.text, True) and again -
here's where it doesn't work. It DOES, however, set the cookie, named the
same as in the web.config file.

Anything else?? Nothing shows up as
 
Yeah - - that's what I'm using exactly - - that's what doesn't work
correctly
I'm totally lost here......I guess I'll just have to roll my own
authentication system - - I've been at this over a week and I could have had
it all done, if I had manually created it.

Thanks for the help - - if you think of something else - - - post back,
please.
 
Elmo,

Let's be sure we understand each other. Here's a sequence of events to
reproduce:

1) Close _all_ of your browsers
2) Start up IE (preferably with your home page set to about:blank).
3) Navigate to a page which requires you to be authenticated
4) You should be redirected to the login page
5) Check for the cookie it should be absent.
6) Log in. It should attempt to redirect you to the original page.
7) Whether or not it redirected you, check for the cookie again. If it's
there, post the details, in particular, the path, domain and expiration.

BTW, I don't know how you're seeing the cookie at all. Session cookies
aren't displayed in IE's "View Files" dialog. You'd do better to use a tool
like ProxyTrace from http://pocketsoap.com, which will allow you to see the
actual Set-Cookie header(s).
 
Here are my steps
1. Delete existing cookie, starting from scratch
2. Run a page on web server - - redirects me to login page
3. Login, hoping to go to url in querystring
4. It does NOT redirect me to the correct page - -
in the Trace details, it shows the cookie with the correct name (from
Web.Config Name = section)
5. However, I don't see the cookie in the Temporary Internet Files dir
yet - - close IE -no cookie
6. Start IE (goes to default site which is NOT the web site in question) -
Cookie shows up
7. Details - - - in the directory list (Windows Explorer):
Name: Cookie:myname@testWebserver/ --- this is correct --
Internet Address - same as Name: - TXT file
Expires: 8/5/2053
Last Modified/Last Accessed/Last Checked - - all the same time/date (today)

8. Try running a page on the web server again - - redirects me to login
page, with the originally requested page, correctly, in the querystring
(ReturnUrL) - - cookie shows up with the name given to it, in my Web.config
file.

Does this show you anything?
 
Yeah, Elmo, that's what I figured from your detailed post. Your Forms
Authentication page may be using the same cookie name as being used by that
"classic ASP" page. Choose another name!

You're not _supposed_ to be able to see session cookies in Temporary
Internet Files! The fact that you saw it there suggested that it wasn't from
ASP.NET, and the fact that you saw it after going to the "default" page
suggested that you were getting that cookie from the default page.
 
Back
Top