Why is ASP.NET FormsAuthentication cookie not authenticating user?

3
votes

I have a site that uses the default SqlMembershipProvider and FormsAuthentication. I can use the built-in Login Controls and/or programmatically call all the methods to authenticate a user and get the same result - the user is authenticated and a cookie is created, but the cookie does not appear to be valid since I can't get into any page that requires authentication.

There is no real code to show for the default Login Control since it should just "work", but here is the custom code I tried:

protected void ctrlLogin_Authenticate(object sender, AuthenticateEventArgs e)
{
   if (Membership.ValidateUser(ctrlLogin.UserName, ctrlLogin.Password))
   {
      FormsAuthentication.RedirectFromLoginPage(ctrlLogin.UserName, ctrlLogin.RememberMeSet);
      /*
       * I also tried this:
      FormsAuthentication.SetAuthCookie(ctrlLogin.UserName, ctrlLogin.RememberMeSet);
      if (!String.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
         Response.Redirect(Request.QueryString["ReturnUrl"]);
      Response.Redirect("/index.aspx");
       */
   }
   else
   {
      ctrlLogin.FailureText = "Invalid Username/Password Combination";
   }
}

With this code, Membership.ValidateUser() succeeds, and both FormsAuthentication.RedirectFromLoginPage() and FormsAuthentication.RedirectFromLoginPage() successfully set a cookie - that cookie just doesn't work to verify my authentication. I have confirmed this by deleting all my cookies and watching them get created again with FireCookie. The cookie name matches what I have in my web.config, the domain is "/", and the expiration date is as expected (see below).

Here are the relevant sections of my web.config:

<authentication mode="Forms">
  <forms loginUrl="~/login/index.aspx" name=".SoeAuth" protection="All"
    slidingExpiration="true" timeout="525599" domain=""></forms>
</authentication>
<membership defaultProvider="SqlMembershipProvider">
  <providers>
    <add connectionStringName="[MY_CS]" applicationName="[MY_APPNAME]"
      minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
      enablePasswordReset="true" passwordFormat="Hashed" requiresUniqueEmail="true"
      name="SqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
      requiresQuestionAndAnswer="false"/>
  </providers>
</membership>

It should be noted that I also added a machineKey entry in my web.config file based on a suggestion from a very similar question here (which didn't solve my problem). Also, for reference, the timeout=525599 above is 1 minute less than a year for my persistent cookies.

1
asp.netcookiesmembershipformsauthentication
I know ValidateUser doesn't actually set a cookie. My point in mentioning that is that is is required when programmatically authenticating a user, and it proves that I'm not just typing the wrong username or password. The code above shows the full process. - Rick
What is IsAuthenticated set to when you revisit after logging in? I don't think RedirectFromLoginPage sets the auth cookie either, except in specific circumstances. - TheCodeKing
User.Identity.IsAuthenticated is false. - Rick
Try setting path to / in your forms config and it might work as is. The cookie is only set when CookiesSupported || IsPathWithinAppRoot(current, returnUrl)), otherwise just call SetAuthCookie explicitly before redirecting. - TheCodeKing
is your cookie sent over in the next request (use fiddler and check the request header) and for giggle, lower your timeout to say 600 for testing. Also remove the domain="" - you arent setting it so remove it. - Adam Tuliper - MSFT

1 Answers

4
votes

I found the problem:

Since I was able to create a simple working test project with the exact same source code, I determined that the problem was in the web.config file.

Going through each section, I discovered in the 'system.web / httpModules' section I had a <clear/> element. This removed the <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/> module defined in machine-level web.config file. Adding it back in instantly fixed the problem.

It sure would have been nice to get an error message when I tried to use the FormsAuthentication methods and that module wasn't even loaded...