asp.net forms authentication urlrewrite http to https causes redirect loop on page timeout

1
votes

I have an asp.net web site with forms authentication that seems to be experiencing a redirect loop issue when the page times out.

First my rules:

<rewrite>
  <rules>
     <clear />
        <rule name="HTTP to HTTPS redirect" enabled="false" stopProcessing="true">
            <match url="(.*)" />
            <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                <add input="{HTTPS}" pattern="OFF" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/" appendQueryString="true" redirectType="Permanent" />
        </rule>
        <rule name="Root to login page" enabled="true" stopProcessing="true">
            <match url="^$" />
            <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
            <action type="Redirect" url="https://{HTTP_HOST}/Account/Login.aspx" redirectType="Found" />
        </rule>
        <rule name="Login" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
            <match url="*/Login.aspx" />
            <conditions>
                <add input="{REQUEST_URI}" pattern="*account/login.aspx" negate="true" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/Account/Login.aspx" />
        </rule>
</rules>
</rewrite>

The intent here is:

  1. if anyone browses to http.//mysite.com they get redirected to https.//mysite.com
  2. if anyone browses to https.//mysite.com/ they get redirected to https.//mysite.com/account/login.aspx
  3. if anyone requests the login.aspx page in any folder or subfolder of my site they get redirected to https.//mysite.com/account/login.aspx

I have confirmed that with the first rule turned off, when the page expires the user does get redirected to the login page with the correct return url (https.//mysite.com/account/login.aspx?ReturnUrl=%2fMemberPages%2fMyPage.aspx). However with the first urlrewrite rule turned on when the page expires, the user gets a page cannot be displayed error and the url in the address bar is https.//mysite.com/memberpages/mypage.aspx.

Ive tried tweaking various settings including adding an exclusion to the first rule for ReturnUrl but i cannot get it to behave and im under a deadline. Can anyone help me with some suggestions?

2
asp.neturl-rewritingforms-authentication
note that the "HTTP to HTTPS redirect rule is disabled in my rules above, when it is enabled i have the problem - Chuck Herrington

2 Answers

0
votes

Since your first rule redirects to url="https://{HTTP_HOST}/", your second rule should match for a trailing / as well, so you should write it as:

<rule name="Root to login page" enabled="true" stopProcessing="true">
  <match url="^/?$" />
  <action type="Redirect" url="account/login.aspx" redirectType="Found" />
</rule>

Note that you don't need to redirect to the full url every time (you can skip the https://{HTTP_HOST}/ most of the time).

0
votes

With a little outsourced help (thanks Kyle) we found the solution to this issue. Turns out we had a bad setup of forms authentication timeout and session timeout. All that needed to be done is to set:

<sessionState mode="InProc" timeout="10" />

and

<forms loginUrl="~/Account/Login.aspx" slidingExpiration="true" timeout="5" />

According to Kyle's research, you have to have to use the following formula:

Session State Timeout <= (Forms Authentication Timeout * 2)

After setting the session state timeout to 10 and the forms timeout to 5 (test values obviously) the problem seems to have gone away.