FormsAuthentication and Redirection fails

Alan Dean · Alan Dean

Hi,

I am using FormsAuthentication in VS.NET 2003, but for some reason the
authentication code does not seem to be behaving as expected.

The behaviour looks like it is not redirecting from the login page, however
I suspect that the problem is that the page is redirecting but the
FormsAuthentication framework is bouncing the page straight back.

I have built a cut-down version of my full implementation and still see the
same behaviour. The cut-down version is:

Web.Config:
------------

....
<authentication mode="Forms">
<forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
timeout="20" />
</authentication>

<authorization>
<deny users="?" />
</authorization>
....

Login.aspx.cs
-----------

....
private void Button1_Click(object sender, System.EventArgs e)
{
WriteTicket("user name", Authenticate("user name", "password") );
}

public static string Authenticate(string EmailAddress, string Password)
{
return AuthenticationTicket(EmailAddress, Password);
}

private static string AuthenticationTicket(string EmailAddress, string
Password)
{
// we'll say that all logins are valid...
return EncryptedTicket(EmailAddress, "Guest" );
}

private static string EncryptedTicket(string emailAddress, string roles)
{
FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
return FormsAuthentication.Encrypt(_ticket);
}

protected virtual void WriteTicket(string userName, string ticket)
{
// create a new cookie and add the authentication ticket:
HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
ticket);
// add this to the outgoing cookie collection:
Response.Cookies.Add(_cookie);
// redirect to the originally requested page:
Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
false );
}

....

I have tried to use the following instead of
FormsAuthentication.GetRedirectUrl(...):
FormsAuthentication.RedirectFromLoginPage(userName , true, "/");

Stepping through the code shows the ticket being created, encrypted and
written to the cookie collection with no problems. I have cookies enabled on
my browser.

As an observation, I have run the MBSA on my machine and I have run IIS
LockDown. Has this disabled something required by the FormsAuthentication?

Hoping someone can help,
Alan Dean

Raterus · Raterus

I think you are forgetting to allow the authenticated users...try this:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

--Michael

"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> Hi,
>
> I am using FormsAuthentication in VS.NET 2003, but for some reason the
> authentication code does not seem to be behaving as expected.
>
> The behaviour looks like it is not redirecting from the login page, however
> I suspect that the problem is that the page is redirecting but the
> FormsAuthentication framework is bouncing the page straight back.
>
> I have built a cut-down version of my full implementation and still see the
> same behaviour. The cut-down version is:
>
> Web.Config:
> ------------
>
> ...
> <authentication mode="Forms">
> <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> timeout="20" />
> </authentication>
>
> <authorization>
> <deny users="?" />
> </authorization>
> ...
>
> Login.aspx.cs
> -----------
>
> ...
> private void Button1_Click(object sender, System.EventArgs e)
> {
> WriteTicket("user name", Authenticate("user name", "password") );
> }
>
> public static string Authenticate(string EmailAddress, string Password)
> {
> return AuthenticationTicket(EmailAddress, Password);
> }
>
> private static string AuthenticationTicket(string EmailAddress, string
> Password)
> {
> // we'll say that all logins are valid...
> return EncryptedTicket(EmailAddress, "Guest" );
> }
>
> private static string EncryptedTicket(string emailAddress, string roles)
> {
> FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> return FormsAuthentication.Encrypt(_ticket);
> }
>
> protected virtual void WriteTicket(string userName, string ticket)
> {
> // create a new cookie and add the authentication ticket:
> HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
> ticket);
> // add this to the outgoing cookie collection:
> Response.Cookies.Add(_cookie);
> // redirect to the originally requested page:
> Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> false );
> }
>
> ...
>
> I have tried to use the following instead of
> FormsAuthentication.GetRedirectUrl(...):
> FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
>
> Stepping through the code shows the ticket being created, encrypted and
> written to the cookie collection with no problems. I have cookies enabled on
> my browser.
>
> As an observation, I have run the MBSA on my machine and I have run IIS
> LockDown. Has this disabled something required by the FormsAuthentication?
>
> Hoping someone can help,
> Alan Dean
>
>

Alan Dean · Alan Dean

I'm afraid that's not it. I forgot to mention that I have tried that.

Alan

"Raterus" <moc.liamtoh@suretar.reverse> wrote in message
news:ufAoxG8fEHA.1652@TK2MSFTNGP09.phx.gbl...
I think you are forgetting to allow the authenticated users...try this:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

--Michael

"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> Hi,
>
> I am using FormsAuthentication in VS.NET 2003, but for some reason the
> authentication code does not seem to be behaving as expected.
>
> The behaviour looks like it is not redirecting from the login page,

however

> I suspect that the problem is that the page is redirecting but the
> FormsAuthentication framework is bouncing the page straight back.
>
> I have built a cut-down version of my full implementation and still see

the

> same behaviour. The cut-down version is:
>
> Web.Config:
> ------------
>
> ...
> <authentication mode="Forms">
> <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> timeout="20" />
> </authentication>
>
> <authorization>
> <deny users="?" />
> </authorization>
> ...
>
> Login.aspx.cs
> -----------
>
> ...
> private void Button1_Click(object sender, System.EventArgs e)
> {
> WriteTicket("user name", Authenticate("user name", "password") );
> }
>
> public static string Authenticate(string EmailAddress, string Password)
> {
> return AuthenticationTicket(EmailAddress, Password);
> }
>
> private static string AuthenticationTicket(string EmailAddress, string
> Password)
> {
> // we'll say that all logins are valid...
> return EncryptedTicket(EmailAddress, "Guest" );
> }
>
> private static string EncryptedTicket(string emailAddress, string roles)
> {
> FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> return FormsAuthentication.Encrypt(_ticket);
> }
>
> protected virtual void WriteTicket(string userName, string ticket)
> {
> // create a new cookie and add the authentication ticket:
> HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
> ticket);
> // add this to the outgoing cookie collection:
> Response.Cookies.Add(_cookie);
> // redirect to the originally requested page:
> Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> false );
> }
>
> ...
>
> I have tried to use the following instead of
> FormsAuthentication.GetRedirectUrl(...):
> FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
>
> Stepping through the code shows the ticket being created, encrypted and
> written to the cookie collection with no problems. I have cookies enabled

on

> my browser.
>
> As an observation, I have run the MBSA on my machine and I have run IIS
> LockDown. Has this disabled something required by the FormsAuthentication?
>
> Hoping someone can help,
> Alan Dean
>
>

Raterus · Raterus

any reason you are using a period in front of your forms name? ".Auth", that eventually translates into the authentication cookie name, and browsers may not be like that. Also concerning my last suggestion, make sure you do that, as that is the correct way to do it.

"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message news:O9KqvK8fEHA.3944@tk2msftngp13.phx.gbl...

> I'm afraid that's not it. I forgot to mention that I have tried that.
>
> Alan
>
> "Raterus" <moc.liamtoh@suretar.reverse> wrote in message
> news:ufAoxG8fEHA.1652@TK2MSFTNGP09.phx.gbl...
> I think you are forgetting to allow the authenticated users...try this:
>
> <authorization>
> <deny users="?" />
> <allow users="*" />
> </authorization>
>
> --Michael
>
> "Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
> news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> > Hi,
> >
> > I am using FormsAuthentication in VS.NET 2003, but for some reason the
> > authentication code does not seem to be behaving as expected.
> >
> > The behaviour looks like it is not redirecting from the login page,

> however

> > I suspect that the problem is that the page is redirecting but the
> > FormsAuthentication framework is bouncing the page straight back.
> >
> > I have built a cut-down version of my full implementation and still see

> the

> > same behaviour. The cut-down version is:
> >
> > Web.Config:
> > ------------
> >
> > ...
> > <authentication mode="Forms">
> > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> > timeout="20" />
> > </authentication>
> >
> > <authorization>
> > <deny users="?" />
> > </authorization>
> > ...
> >
> > Login.aspx.cs
> > -----------
> >
> > ...
> > private void Button1_Click(object sender, System.EventArgs e)
> > {
> > WriteTicket("user name", Authenticate("user name", "password") );
> > }
> >
> > public static string Authenticate(string EmailAddress, string Password)
> > {
> > return AuthenticationTicket(EmailAddress, Password);
> > }
> >
> > private static string AuthenticationTicket(string EmailAddress, string
> > Password)
> > {
> > // we'll say that all logins are valid...
> > return EncryptedTicket(EmailAddress, "Guest" );
> > }
> >
> > private static string EncryptedTicket(string emailAddress, string roles)
> > {
> > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> > return FormsAuthentication.Encrypt(_ticket);
> > }
> >
> > protected virtual void WriteTicket(string userName, string ticket)
> > {
> > // create a new cookie and add the authentication ticket:
> > HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
> > ticket);
> > // add this to the outgoing cookie collection:
> > Response.Cookies.Add(_cookie);
> > // redirect to the originally requested page:
> > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> > false );
> > }
> >
> > ...
> >
> > I have tried to use the following instead of
> > FormsAuthentication.GetRedirectUrl(...):
> > FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
> >
> > Stepping through the code shows the ticket being created, encrypted and
> > written to the cookie collection with no problems. I have cookies enabled

> on

> > my browser.
> >
> > As an observation, I have run the MBSA on my machine and I have run IIS
> > LockDown. Has this disabled something required by the FormsAuthentication?
> >
> > Hoping someone can help,
> > Alan Dean
> >
> >

>
>

Alan Dean · Alan Dean

I've tried it with and without the period (some samples use it, some don't).

Still doesn't work even with both suggestions implemented.

Regards,
Alan

"Raterus" <moc.liamtoh@suretar.reverse> wrote in message
news:%23vi0tY8fEHA.2524@TK2MSFTNGP09.phx.gbl...
any reason you are using a period in front of your forms name? ".Auth", that
eventually translates into the authentication cookie name, and browsers may
not be like that. Also concerning my last suggestion, make sure you do
that, as that is the correct way to do it.

"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
news:O9KqvK8fEHA.3944@tk2msftngp13.phx.gbl...

> I'm afraid that's not it. I forgot to mention that I have tried that.
>
> Alan
>
> "Raterus" <moc.liamtoh@suretar.reverse> wrote in message
> news:ufAoxG8fEHA.1652@TK2MSFTNGP09.phx.gbl...
> I think you are forgetting to allow the authenticated users...try this:
>
> <authorization>
> <deny users="?" />
> <allow users="*" />
> </authorization>
>
> --Michael
>
> "Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
> news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> > Hi,
> >
> > I am using FormsAuthentication in VS.NET 2003, but for some reason the
> > authentication code does not seem to be behaving as expected.
> >
> > The behaviour looks like it is not redirecting from the login page,

> however

> > I suspect that the problem is that the page is redirecting but the
> > FormsAuthentication framework is bouncing the page straight back.
> >
> > I have built a cut-down version of my full implementation and still see

> the

> > same behaviour. The cut-down version is:
> >
> > Web.Config:
> > ------------
> >
> > ...
> > <authentication mode="Forms">
> > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> > timeout="20" />
> > </authentication>
> >
> > <authorization>
> > <deny users="?" />
> > </authorization>
> > ...
> >
> > Login.aspx.cs
> > -----------
> >
> > ...
> > private void Button1_Click(object sender, System.EventArgs e)
> > {
> > WriteTicket("user name", Authenticate("user name", "password") );
> > }
> >
> > public static string Authenticate(string EmailAddress, string Password)
> > {
> > return AuthenticationTicket(EmailAddress, Password);
> > }
> >
> > private static string AuthenticationTicket(string EmailAddress, string
> > Password)
> > {
> > // we'll say that all logins are valid...
> > return EncryptedTicket(EmailAddress, "Guest" );
> > }
> >
> > private static string EncryptedTicket(string emailAddress, string roles)
> > {
> > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> > return FormsAuthentication.Encrypt(_ticket);
> > }
> >
> > protected virtual void WriteTicket(string userName, string ticket)
> > {
> > // create a new cookie and add the authentication ticket:
> > HttpCookie _cookie = new

HttpCookie(FormsAuthentication.FormsCookieName,

> > ticket);
> > // add this to the outgoing cookie collection:
> > Response.Cookies.Add(_cookie);
> > // redirect to the originally requested page:
> > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> > false );
> > }
> >
> > ...
> >
> > I have tried to use the following instead of
> > FormsAuthentication.GetRedirectUrl(...):
> > FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
> >
> > Stepping through the code shows the ticket being created, encrypted and
> > written to the cookie collection with no problems. I have cookies

enabled

> on

> > my browser.
> >
> > As an observation, I have run the MBSA on my machine and I have run IIS
> > LockDown. Has this disabled something required by the

FormsAuthentication?

> >
> > Hoping someone can help,
> > Alan Dean
> >
> >

>
>

Alan Dean · Alan Dean

I've figured the reason why this behaviour is happening.

I run ZoneAlarm, and it seems that it blocks cookies from [url]http://localhost[/url]
even when set to allow cookies... grrrr....

Thanks to Raterus for offering assistance.

Alan Dean

"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> Hi,
>
> I am using FormsAuthentication in VS.NET 2003, but for some reason the
> authentication code does not seem to be behaving as expected.
>
> The behaviour looks like it is not redirecting from the login page,

however

> I suspect that the problem is that the page is redirecting but the
> FormsAuthentication framework is bouncing the page straight back.
>
> I have built a cut-down version of my full implementation and still see

the

> same behaviour. The cut-down version is:
>
> Web.Config:
> ------------
>
> ...
> <authentication mode="Forms">
> <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> timeout="20" />
> </authentication>
>
> <authorization>
> <deny users="?" />
> </authorization>
> ...
>
> Login.aspx.cs
> -----------
>
> ...
> private void Button1_Click(object sender, System.EventArgs e)
> {
> WriteTicket("user name", Authenticate("user name", "password") );
> }
>
> public static string Authenticate(string EmailAddress, string Password)
> {
> return AuthenticationTicket(EmailAddress, Password);
> }
>
> private static string AuthenticationTicket(string EmailAddress, string
> Password)
> {
> // we'll say that all logins are valid...
> return EncryptedTicket(EmailAddress, "Guest" );
> }
>
> private static string EncryptedTicket(string emailAddress, string roles)
> {
> FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> return FormsAuthentication.Encrypt(_ticket);
> }
>
> protected virtual void WriteTicket(string userName, string ticket)
> {
> // create a new cookie and add the authentication ticket:
> HttpCookie _cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
> ticket);
> // add this to the outgoing cookie collection:
> Response.Cookies.Add(_cookie);
> // redirect to the originally requested page:
> Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> false );
> }
>
> ...
>
> I have tried to use the following instead of
> FormsAuthentication.GetRedirectUrl(...):
> FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
>
> Stepping through the code shows the ticket being created, encrypted and
> written to the cookie collection with no problems. I have cookies enabled

on

> my browser.
>
> As an observation, I have run the MBSA on my machine and I have run IIS
> LockDown. Has this disabled something required by the FormsAuthentication?
>
> Hoping someone can help,
> Alan Dean
>
>

Mach Runner · Mach Runner

Have you discoeverd how to defeat this problem?
I am having the same problem as you ....
"Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
news:eExCIm8fEHA.3148@TK2MSFTNGP10.phx.gbl...

> I've figured the reason why this behaviour is happening.
>
> I run ZoneAlarm, and it seems that it blocks cookies from [url]http://localhost[/url]
> even when set to allow cookies... grrrr....
>
> Thanks to Raterus for offering assistance.
>
> Alan Dean
>
> "Alan Dean" <adeanRemoveThisText@hotmail.com> wrote in message
> news:uTLJJ27fEHA.3416@TK2MSFTNGP09.phx.gbl...

> > Hi,
> >
> > I am using FormsAuthentication in VS.NET 2003, but for some reason the
> > authentication code does not seem to be behaving as expected.
> >
> > The behaviour looks like it is not redirecting from the login page,

> however

> > I suspect that the problem is that the page is redirecting but the
> > FormsAuthentication framework is bouncing the page straight back.
> >
> > I have built a cut-down version of my full implementation and still see

> the

> > same behaviour. The cut-down version is:
> >
> > Web.Config:
> > ------------
> >
> > ...
> > <authentication mode="Forms">
> > <forms name=".Auth" path="/" loginUrl="Login.aspx" protection="All"
> > timeout="20" />
> > </authentication>
> >
> > <authorization>
> > <deny users="?" />
> > </authorization>
> > ...
> >
> > Login.aspx.cs
> > -----------
> >
> > ...
> > private void Button1_Click(object sender, System.EventArgs e)
> > {
> > WriteTicket("user name", Authenticate("user name", "password") );
> > }
> >
> > public static string Authenticate(string EmailAddress, string Password)
> > {
> > return AuthenticationTicket(EmailAddress, Password);
> > }
> >
> > private static string AuthenticationTicket(string EmailAddress, string
> > Password)
> > {
> > // we'll say that all logins are valid...
> > return EncryptedTicket(EmailAddress, "Guest" );
> > }
> >
> > private static string EncryptedTicket(string emailAddress, string roles)
> > {
> > FormsAuthenticationTicket _ticket = new FormsAuthenticationTicket(1,
> > emailAddress, DateTime.Now, DateTime.Now.AddMinutes(20), false, roles);
> > return FormsAuthentication.Encrypt(_ticket);
> > }
> >
> > protected virtual void WriteTicket(string userName, string ticket)
> > {
> > // create a new cookie and add the authentication ticket:
> > HttpCookie _cookie = new

HttpCookie(FormsAuthentication.FormsCookieName,

> > ticket);
> > // add this to the outgoing cookie collection:
> > Response.Cookies.Add(_cookie);
> > // redirect to the originally requested page:
> > Response.Redirect( FormsAuthentication.GetRedirectUrl(userName, true),
> > false );
> > }
> >
> > ...
> >
> > I have tried to use the following instead of
> > FormsAuthentication.GetRedirectUrl(...):
> > FormsAuthentication.RedirectFromLoginPage(userName , true, "/");
> >
> > Stepping through the code shows the ticket being created, encrypted and
> > written to the cookie collection with no problems. I have cookies

enabled

> on

> > my browser.
> >
> > As an observation, I have run the MBSA on my machine and I have run IIS
> > LockDown. Has this disabled something required by the

FormsAuthentication?

> >
> > Hoping someone can help,
> > Alan Dean
> >
> >

>
>

Faassen, B. · Faassen, B.

I have the same problem. I dont use ZoneAlarm or whatever. Even a fresh WinXP installation gives the same result. It always returns back to the login page while authentication was succesfull!

I tried several browsers also. Some will be returned back to the login page and others continues to the next requested page. If returned back to the login page most of the times I can request the real url again and I will get it. Thus the authentication was successfull but IIS or ASP.NET or whatever doesnt notice that...

Barry

FormsAuthentication and Redirection fails

Thread Tools

Display

FormsAuthentication and Redirection fails

Similar Questions and Discussions

FormsAuthentication

FormsAuthentication Redirection NOT WORKING!!

BUG With FormsAuthentication

WindowsApplication and FormsAuthentication?

FormsAuthentication - Changes in .Net Framework 1.1!?

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Re: FormsAuthentication and Redirection fails

Posting Permissions