In a form-based authentication application, I have a standard ASP.NET control with the following Authenticate event handler.
void Login_Authenticate(object sender, AuthenticateEventArgs e) { if (Security.AuthenticateUser(Login.UserName, Login.Password)) { e.Authenticated = true; RedirectFromLoginPage(Login.UserName); } else { e.Authenticated = false; } }
The RedirectFromLoginPage function is as follows:
private void RedirectFromLoginPage(String username) { String returnUrl = GetReturnUrl(); FormsAuthentication.SetAuthCookie(username, true, "/"); Response.Redirect(returnUrl, true); }
This works fine in 99% of cases. However, I sometimes receive calls for support from people who cannot log in. They will log into their credentials, redirected back to the main page (what happens when everything works fine), but they will not log into the system.
Assuming this might be a cookie problem, I tried to reproduce the problem in my environment by setting the privacy settings for โBlock all cookiesโ and I was able to reproduce the problem. The SetAuthCookie function is called, but on the next page load HttpContext.Current.User.Identity.IsAuthenticated returns false.
In my web.config, authentication is set like this:
<authentication mode="Forms"> <forms loginUrl="..." timeout="180" cookieless="AutoDetect"/> </authentication>
Reading the MSDN documentation about AutoDetect and SetAuthCookie, I got the following:
AutoDetect Indicates that cookies are used if the device profile supports cookies; otherwise cookie is not used for desktop browsers that are known to support cookies, a mechanism will be used to try to use cookies if they are enabled. If the device does not support cookies, does not check the mechanism will be used.
FormsAuthentication.SetAuthCookie: Creates an authentication ticket for the provided username and adds it to the response cookie collection using the supplied cookie path or using the URL if you are using cookieless authentication.
I would have thought that cookieless authentication would be used in my script, but this is not the case (I donโt see anything in the QueryString after the redirect).
If I set the break function in the RedirectFromLoginPage function and check some values, I get:
bool cookieSupport = Request.Browser.Cookies; //"true" bool redirectWithCookies = Request.Browser.SupportsRedirectWithCookie; //"true" HttpCookieMode currentMode = FormsAuthentication.CookieMode; //"AutoDetect"
I'm not sure if Request.Browser.Cookies should be true or not. The browser supports cookies, but they are all blocked ...
Anyway, I got to the console in a few minutes by car, where there was a problem. Privacy settings have been set to medium so that it can accept cookies. This was the standard Win7 / IE8 setup. I tried to add the site to the user's trusted zone in order to log in via https, but this did not work. Other problem settings were similar (nothing stands out with the machines, and users say they have no problems on other sites).
So what am I doing wrong here?