I have a very odd problem. I have a web app that uses the .NET Membership API to provide login functionality.
This works fine on my local dev machine, using WebDev 4.0 server.
I'm using .NET 4.0 with some URL Rewriting, but not on the pages where login is required.
I have a Windows Server 2008 with IIS7
However, the Membership API seemingly does not work on the server. I have set up remote debugging and the LoginUser.LoggedIn event of the LoginUser control gets fired okay, but the MembershipUser is null. I get no answer about the username/password being invalid so it seems to be recognising it.
If I enter an invalid username/password, I get an invalid username/password response.
Some code, if it helps:
<asp:ValidationSummary ID="LoginUserValidationSummary" runat="server" CssClass="validation-error-list"
ValidationGroup="LoginUserValidationGroup"/>
<div class="accountInfo">
<fieldset class="login">
<legend>Account Information</legend>
<p>
<asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">Username:</asp:Label>
<asp:TextBox ID="UserName" runat="server" CssClass="textEntry"></asp:TextBox>
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName"
CssClass="validation-error" Display="Dynamic" ErrorMessage="User Name is required." ToolTip="User Name is required."
ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
</p>
<p>
<asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
<asp:TextBox ID="Password" runat="server" CssClass="passwordEntry" TextMode="Password"></asp:TextBox>
<asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password"
CssClass="validation-error" Display="Dynamic" ErrorMessage="Password is required." ToolTip="Password is required."
ValidationGroup="LoginUserValidationGroup">*</asp:RequiredFieldValidator>
</p>
<p>
<asp:CheckBox ID="RememberMe" runat="server"/>
<asp:Label ID="RememberMeLabel" runat="server" AssociatedControlID="RememberMe" CssClass="inline">Keep me logged in</asp:Label>
</p>
</fieldset>
<p class="login-action">
<asp:Button ID="LoginButton" runat="server" CommandName="Login" CssClass="submitButton" Text="Log In"
ValidationGroup="LoginUserValidationGroup"/>
</p>
and the code behind:
protected void Page_Load(object sender, EventArgs e)
{
LoginUser.LoginError += new EventHandler(LoginUser_LoginError);
LoginUser.LoggedIn += new EventHandler(LoginUser_LoggedIn);
}
void LoginUser_LoggedIn(object sender, EventArgs e)
{
// this code gets run so it appears logins work
Roles.DeleteCookie(); // this behaviour has been removed for testing - no difference
}
void LoginUser_LoginError(object sender, EventArgs e)
{
HtmlGenericControl htmlGenericControl = LoginUser.FindControl("errorMessageSpan") as HtmlGenericControl;
if (htmlGenericControl != null) htmlGenericControl.Visible = true;
}
I have "Fiddled" with the Login form reponse and I get the following Cookie-Set headers:
Set-Cookie: ASP.NET_SessionId=lpyyiyjw45jjtuav1gdu4jmg; path=/; HttpOnly
Set-Cookie: .ASPXAUTH=A7AE08E071DD20872D6BBBAD9167A709DEE55B352283A7F91E1066FFB1529E5C61FCEDC86E558CEA1A837E79640BE88D1F65F14FA8434AA86407DA3AEED575E0649A1AC319752FBCD39B2A4669B0F869; path=/; HttpOnly
Set-Cookie: .ASPXROLES=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; HttpOnly
I don't know what is useful here because it is obviously encrypted but I find the .APXROLES cookie having no value interesting. It seems to fail to register the cookie, but passes authentication
Updates:
1/ Have tried in Classic and Integrated mode: same behaviour
2/ ASP.NET user NETWORK SERVICE (NT AUTHORITY/NETWORK SERVICE) has membership of all the aspnet_* roles.