views:

167

answers:

8

Ok, I've published a site using forms authentication. It works on my staging server. it does not work on the production server. The only thing different is sql is on a different machine for production.

The site does work, showing data from sql, but when I use the login link on the site, it brings up the login form, I login, it redirects to the main page, where it still says "login" instead of "logout".

I've tried aspnet_regsql to uninstall / install forms authentication for the server. I've restarted the www service. Here's a portion of my web.config

    <membership>
  <providers>
    <remove name="AspNetSqlMembershipProvider"/>
    <add name="AspNetSqlMembershipProvider" 
         type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
         connectionStringName="LocalSqlServer" 
         enablePasswordRetrieval="true" 
         enablePasswordReset="true" 
         requiresQuestionAndAnswer="true" 
         applicationName="/TriState" 
         requiresUniqueEmail="true" 
         minRequiredPasswordLength="4" 
         minRequiredNonalphanumericCharacters="0" 
         passwordFormat="Clear" 
         maxInvalidPasswordAttempts="5" 
         passwordAttemptWindow="10" 
         passwordStrengthRegularExpression="" />
  </providers>
</membership>
A: 

Is your login page by any chance named login.aspx? I had a problem with this in the past, since it creates the same class name as the login control and a conflict occurs. In my case I got the "Yellow Screen of Death" i.e. the stack trace since it threw an exception, but then I renamed the page and it was ok.

Nikos Steiakakis
It is login.aspx but... the "class" in the codeBehind for it I changed to "LoginPage"
Rick Ratayczak
A: 

You should explicitly set your application name. Check your database for the application table. If you have two entries there, then the system is using a different application name for your dev box and the server. If you explicitly set the name, there will be no conflict.

recursive
There is only one. I removed tables with aspnet_regsql and re-added them back in.
Rick Ratayczak
+1  A: 

How are you creating the roles and users in the production environment? Do you use a back up of the development database? In that case pay attention to the aspnet_Applications table. Make sure that the name of the application in the development and the production environment are the same. If not, try to edit the table by hand.

kgiannakakis
I Created a blank DB and ran aspnet_regsql
Rick Ratayczak
The newly created db has no information regarding applications, roles and users. You need to add these yourself. The easiest way is to use the ASP.NET Configuration Tool in Visual Studio.
kgiannakakis
If you created a blank DB and ran aspnet_regsql, then this new database which is used by your published website has no information about your username and password. You have to add this information. Also very important, if your application has a App_Data folder, please make sure you remove it or at least do not publish it because if you do, your application will create a db in that folder and try to use it instead. Good luck!
Ricardo
in the OnSessionCreated() Event, I create the roles, and add one user in, and add the user to the roles. But it still won't let me login.
Rick Ratayczak
This is a very strange approach that you are using. I suppose you just can't create the roles when the session is created. Perhaps that's too late. It would be better to use a management tool to create the roles. If you want to do it programmatically, try the Application_Init or Application_Start events at the Global.asax.
kgiannakakis
yes, global.asax is where I am creating the roles and initial user.
Rick Ratayczak
If this is the correct answer, then what was problem you actually ended up having? Was it the case the application names did not match?
CRice
A: 

Is it possible that the application is serving the wrong cookies? On our testing servers the hostname is different than the production servers and the cookies end up in a different domain. The testing and production servers need to know the domains they are serving to send the right cookies back (this is done by storing the names and domains in the database).

Mr. Shiny and New
I don't know. I am using standard asp.net controls for login, etc.
Rick Ratayczak
@Rick: try to log in using Firefox with LiveHTTPHeaders or the Web developer tools, and watch the HTTP headers. Look for the cookie headers and see if the domain of the cookie matches the domain of the site. You'll see something like `Set-Cookie: Country=CA;Path=/;Domain=.stackoverflow.com`; make sure the .stackoverflow.com part matches your production site's hostname and domain properly.
Mr. Shiny and New
A: 

Have you tried backing up the database from the staging server and restoring it on the production server? (here are instructions to do that.)

This will confirm that the database you are using isn't the issue.

Chris
That is what i did initially.
Rick Ratayczak
A: 

Where does LocalSqlServer point? Is that the correct connection string to use in this case?

Wyatt Barnett
(local) trusted connection
Rick Ratayczak
Well, should the application be using the local, trusted sql express connection? Or should it be using another database?
Wyatt Barnett
A: 

Ok have you tried doing a manual login to bypass the membership check? This will rule out forms authentication itself being the problem.

        if (Request.QueryString["ReturnUrl"] != null)
        {
            FormsAuthentication.RedirectFromLoginPage("someuserid", false);
        }
        else
        {
            FormsAuthentication.SetAuthCookie("someuserid", false);
            Response.Redirect("~/SomePage.aspx");
        }

Check your users are set up with whatever roles you have allowed in authorization.

    <authorization>
  <deny users="?"/>
  <allow roles="Public"/>
  <allow roles="AdminUser"/>
 </authorization>

Check if there any web.configs further down (inheriting from higher level folder web.configs) which allow or deny any user's roles by specifying authorization.

CRice
A: 

Make sure your application name is the same in the production database:

applicationName="/TriState"
rick schott