I have an application built using ASP.NET MVC 3.0. It uses asp.net, built-in forms authentication, no session state and browser cookies to identify the user making the requests.
Now when I test the application using IE9, a typical HTML request sends this user agent to the header and everything works fine.
User-Agent: Mozilla / 5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident / 5.0)
However, we have one page in the application, in which there is an ActiveX container that hosts Microsoft Word in the browser. The purpose of this ActiveX container is to allow you to make changes to the word document, click on the button to POST this document with your changes on our server so that it can be saved.
The ActiveX control has a method - the Office Viewer component from www.ocxt.com - called HttpPost (), which sends the contents of the viewed document to the server.
When calling HttpPost (), it sends all the same cookies properly, but uses a different User-Agent line.
User-Agent: Mozilla / 4.0 (compatible; MSIE 5.5; Windows NT 4.0)
A UserAgent user using the MSIE 5.5 line causes ASP.NET or MVC not to send a request to the appropriate controller, but instead sends a redirect response to the login page, even if the cookie is valid for the session. I checked the test with Fiddler and tried to use MSIE 6.0, 7.0, 8.0, and they seem to work fine, so specifically 5.5 leads to redirecting part of the server stack to the login page.
This page worked fine, so I'm not sure that something has changed in recent versions of ASP.NET/MVC, or is it because I switched to IE9.0, but basically I would like to know if ASP.NET can be reported so that it does not take into account the User-Agent in determining whether the session has already passed or not.
Thank.