tags:

views:

150

answers:

7
+5  Q: 

What could cause ASP.NET FormsAuthentication Cookie problems apart from cookies being turned off?

People are reporting having trouble logging into one of our ASP.NET sites. When I check the IIS logs, it looks like the FormsAuthentication cookie is not being cached by their browsers after they log on.

I don't think its as simple as 'user has set their browser to not accept cookies' because:
a) If cookies in general weren't working for their browser, they'd never have got as far as they have in the process - the ASP.NET session cookies seem to be working OK, for example.
b) These generally aren't the kind of users who would even know how to turn cookies off.

So I think it must be something else. What sort of problems can cause ASP.NET FormsAuthentication cookies to stop working, apart from users simply setting their browsers to reject cookies?

edit: For example This answer to another question suggests that sometimes FormsAuthentication Cookies get dropped because they are too large - perhaps someone can shed some light on that?

edit: the FormsAuthentication cookie for one of our sites is 233 bytes - is that a bit big? Can it be made smaller? Maybe that would help.

edit: I notice the code uses FormsAuthentication.SetAuthCookie() and Response.Redirect() instead of FormsAuthentication.RedirectFromLoginPage() - could that be related?

+1  A: 

Is it possible the user is accessing your webserver via 2 different domains? For example, if I go to www.foo.com and get an authentication cookie, then redirect to www.bar.com, the request sent to www.bar.com certainly won't contain the cookie set by www.foo.com.

This issue would also happen if you set the cookie at htp://login.foo.com, then redirect to htp://content.foo.com. However, I believe the cookie could be configured using a wildcard, so that it would apply to *.foo.com.

Edit: deliberately misspelled "http" so that there aren't actual clickable garbage-links in this answer. :)

mikemanne  2010-08-16 18:05:56
Thanks. That could indeed cause a formsauthentication problem, but its not the cause of my problem.
codeulike  2010-08-18 15:30:28
Rats - so much for the easy answer, eh? If you do find the root cause, please post it as an answer here - now I'm curious.
mikemanne  2010-08-19 14:00:08
+1  A: 

There is an idle timeout--are they logging in, then not doing anything for a while, then trying to access the site again? You might check that. And, see if the timeout is set to be a sliding timeout (e.g., 20 min after last request) or a fixed timeout (e.g., 20 min after login). I think the sliding timeout is not the default setting.

Richard Dudley  2010-08-16 19:16:19
Thanks. That could indeed cause a formsauthentication problem, but its not the cause of my problem.
codeulike  2010-08-18 15:30:59
+1  A: 

If your site runs in a web farm you might need to set the same machine keys on all servers or if the user switches server it might not be able to decrypt the authentication ticket.

The difference between RedirectFromLoginPage() and SetAuthCookie followed by Response.Redirect() is that the first works also if cookies are disabled (in fact it uses a query string parameter to track authenticated users).

Darin Dimitrov  2010-10-19 17:49:53
A: 

Try the following steps.

http://blogs.msdn.com/b/rahulso/archive/2007/01/17/troubleshooting-cookies-a-case-study.aspx

I wrote this long back, but if you follow it closely the chances are high that you will find the root cause.

Isolation of the root cause is the key here. Fixing the issue will be pretty simple once you figure out why it is happening in the first place.

Rahul

www.dotnetscraps.com

Rahul Soni  2010-10-20 05:21:27
A: 

Could it be that the webserver name, or part of the DNS name contains an underscore?

eg:

www2_http.mydomain.com

I remember having that problem during some development stage, where the Sessions would not behave regularly. Removing the underscore from the machines domain name resolved the issue for me.

regards

ovm  2010-10-20 09:16:59
+1  A: 

I've had a similar problem (not with the formsauthentication cookie, but with a sticky loadbalancer cookie) because the server didn't have a proper time/timezone configuration, so there were cases when the cookie expiration date was previous than the current time in the users machine.

see here: http://stackoverflow.com/questions/2262530/how-do-expire-values-work-for-cookies-and-caching

hope it helps

Sebastian Piu  2010-10-20 17:26:29
A: 

Are you using more than one domain to talk to the same web application? Remember that cookies are domain specific, www.mydomain.com <> www.mydomain.net <> my.domain.net.

A stab in the dark, do you have machine keys in your web.configs?

ewitkows  2010-10-21 02:03:42

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps