My asp.net 4.5 web forms app is disallowing multiple session or session timeout or something. The first one or two person login successfully and use the system until a third or more person tries login and it redirects them to the login page. Hitting F12 I get the following message
Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen
Here is my login button code:
protected void btnLogin_Click(object sender, EventArgs e)
{
ApplicationDbContext _db = new ApplicationDbContext();
var userStore = new UserStore<ApplicationUser>(_db);
var userManager = new UserManager<ApplicationUser>(userStore);
ApplicationUser user = userManager.Find(txtUserName.Text, txtPassword.Text);
if (user != null)
{
if (user.IsDeleted && user.UserName.ToLower() != ApplicationDbInitializer.userName.ToLower())
{
ModelState.AddModelError("Error", "Your account has been deleted.");
}
else if (!user.IsActive && user.UserName.ToLower() != ApplicationDbInitializer.userName.ToLower())
{
ModelState.AddModelError("Error", "Your account has been disabled.");
}
else
{
IAuthenticationManager authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
ClaimsIdentity identity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationProperties props = new AuthenticationProperties();
props.IsPersistent = chkRememberMe.Checked;
authenticationManager.SignIn(props, identity);
if (!string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
{
Response.Redirect(Request.QueryString["ReturnUrl"]);
}
else if (userManager.IsInRole(user.Id, "Admin"))
{
Response.Redirect("~/admin/index");
}
else
{
Response.Redirect("~/user/index");
}
}
}
else
{
ModelState.AddModelError("Error", "Invalid username or password.");
}
}
