302 Infinite Loop

6
votes

I have a web application that is stuck in an infinite loop, and I have no idea where to look next. This is an intranet site, so there is no link I can share, but I've listed as many details as I can think of below. I would appreciate any ideas or suggestions. Anyone has.

The details:

  • IIS 7
  • .Net 4.0
  • Windows 2008
  • Default document is Login.aspx
  • No HTTP redirect set on app or Login.aspx in IIS
  • Fiddler shows Login.aspx using status code of 302 and redirecting to Login.aspx

If I open my site, it points to Login.aspx and gets stuck in a 302 loop. If I open the site but point to register.aspx, Fiddler shows register.aspx going to Login.aspx which of course redirects to Login.aspx.

What I've done:

  • Run the webapp from Visual Studio -- everything works fine
  • Check web.config for redirect commands -- there are none
  • Check IIS for redirect commands -- there are none
  • Look at Fiddler for another page in the loop -- there are none, just Login.aspx to Login.aspx
  • Check Login.aspx for redirect commands -- there are none
  • Check Login.aspx code behind for redirect commands -- there are none
  • Run the app on my box using the web.config from the server -- everything works
  • Check Login.aspx for redirect commands -- there are none
  • Cleared Cache -- problem still persists
  • Republished -- problem still persists
  • Republished and cleared Cache -- problem still persists
  • Disabled Default Document in IIS
3
asp.netiis-7infinite-loophttp-status-code-302
Are you running behind a load balancer by any chance? Are you sure your redirects are exactly the same (i.e. not http versus https)?Paddy
the redirects are exactly the same. No https. I don't think I am behind a load balancer.Johnie Karr
Does your site use some sort of redirect on, say, session expiration to Login.aspx?Ross
Thanks for comment @Ross. I found a code block that I completley missed, which turned out to be the problem.Johnie Karr

3 Answers

5
votes

Will share this just in case it is an answer, as it sounds like a problem we had.

  1. ASP.net MVC site with [RequiresHttps] attribute on our login action.

  2. Behind a load balancer that was doing SSL acceleration (resulting in the request that actually hits the server side code being already decoded and effectively under http).

  3. Server code thinks this is an issue and redirects back to itself using https.

  4. Rinse and repeat.

Been quite a long time since this was answered, and my comment below here to 'not use RequireHttps' is probably a bit out of date.

Anyone looking at this answer and thinking that it answers their problem would probably be well advised to look into configuring their load balancer to use X-Forwarded-Proto headers:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

And then setting up their MVC site to be able to read these and still think they are under HTTPS at the border of your environment:

https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0

2
votes

Found the problem. Found this logic in the MasterPage:

Dim strPage As String = Request.Url.AbsolutePath.Replace("/", "")
    'Check that user is logged in
    If Not strPage = "Login.aspx" And Not strPage = "Register.aspx" Then
        If Session("intUserId") Is Nothing Then
            Response.Redirect("~/Login.aspx", True)
        End If
    End If

Evidently, strPage does not equal Login.aspx when browsing to Login.aspx on the server.

I should have cought this when I was investigating it. Thanks Ross for your comment, it helped me to find this!

1
votes

I had encountered a similar bug. But mine was a typo with two Response.Redirect back to back.

If (conditon1){
    Response.Redirect("Page1.aspx");
}
If (conditon2){
    Response.Redirect("Page2.aspx");
}

And the fix was to simply put the other if in the else block.