J
Jim
Hi,
We are having a big problem with one of our clients and are hoping that
somebody out there might have some suggestions. We have developed an
ASP.NET (C#) 2002 site with a SQL2K backend which our client uses to enter
conference information. The site uses Forms authentication w/ anonymous
access - we have LDAP code which we use to authenticate against. We
validate two types of users, hosts and consultants. Consultants are
super-users and never have the following problem, although they use the same
pages as the hosts. The following is the auth code from the web.config:
<authentication mode="Forms"><forms name=".ASPXAUTH"
loginUrl="HomePage.aspx" path="/" protection="All" timeout="900"
/></authentication>
We are storing a lot of information in the Session object, which is used to
pass information about the current conference. On the pages where this
error occurs, we pop up a browser window where data is added or modified.
When the save button is clicked, the data in the main browser window is
updated. What happens is that about 10% of the time, the host is redirected
to the HomePage.aspx when they click the Submit button on the popup. The
popup is closed, but they are now on the home page. There is no code on
this page or any of the user controls on this page which redirect to
homepage.aspx, which leads us to believe that this has to do with
authentication.
Now, we only know about this problem from putting an audit trail on the
application - we have never been able to reproduce this bug in house, nor
have we been able to do it on the staging site nor the live site. However,
we know from the audit trail that this really does happen. We also know
that the user is NOT logged off, and could go back in to create another
conference! Also, the conference data is still stored in the Session
object, so they *might* be able to hit the back button on the browser and be
right back in their conference, but we haven't been able to confirm this.
I will include some code in the hope that this will help clarify what's up.
Please, this is a huge deal for us and any help would be tremendously
appreciated.
Code for logging in (shows how we're using authentication):
Session[clsUtil.LOGGED_USER] = l_oPerson;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
l_oPerson.Email, // Username associated with ticket
DateTime.Now, // Date/time issued
DateTime.Now.AddHours(12), // Date/time to expire
true, // "true" for a durable user cookie
l_oPerson.VisitConsultantFlag == true ? clsUtil.CONSULTANT : clsUtil.HOST,
// User-data, in this case the roles
FormsAuthentication.FormsCookiePath);// Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
We are having a big problem with one of our clients and are hoping that
somebody out there might have some suggestions. We have developed an
ASP.NET (C#) 2002 site with a SQL2K backend which our client uses to enter
conference information. The site uses Forms authentication w/ anonymous
access - we have LDAP code which we use to authenticate against. We
validate two types of users, hosts and consultants. Consultants are
super-users and never have the following problem, although they use the same
pages as the hosts. The following is the auth code from the web.config:
<authentication mode="Forms"><forms name=".ASPXAUTH"
loginUrl="HomePage.aspx" path="/" protection="All" timeout="900"
/></authentication>
We are storing a lot of information in the Session object, which is used to
pass information about the current conference. On the pages where this
error occurs, we pop up a browser window where data is added or modified.
When the save button is clicked, the data in the main browser window is
updated. What happens is that about 10% of the time, the host is redirected
to the HomePage.aspx when they click the Submit button on the popup. The
popup is closed, but they are now on the home page. There is no code on
this page or any of the user controls on this page which redirect to
homepage.aspx, which leads us to believe that this has to do with
authentication.
Now, we only know about this problem from putting an audit trail on the
application - we have never been able to reproduce this bug in house, nor
have we been able to do it on the staging site nor the live site. However,
we know from the audit trail that this really does happen. We also know
that the user is NOT logged off, and could go back in to create another
conference! Also, the conference data is still stored in the Session
object, so they *might* be able to hit the back button on the browser and be
right back in their conference, but we haven't been able to confirm this.
I will include some code in the hope that this will help clarify what's up.
Please, this is a huge deal for us and any help would be tremendously
appreciated.
Code for logging in (shows how we're using authentication):
Session[clsUtil.LOGGED_USER] = l_oPerson;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
l_oPerson.Email, // Username associated with ticket
DateTime.Now, // Date/time issued
DateTime.Now.AddHours(12), // Date/time to expire
true, // "true" for a durable user cookie
l_oPerson.VisitConsultantFlag == true ? clsUtil.CONSULTANT : clsUtil.HOST,
// User-data, in this case the roles
FormsAuthentication.FormsCookiePath);// Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);