Forms Authentication doesn't protect specified pages.

[Steve R.]

This is driving me nuts:

I've used this same exact setup (web.config, see below) before without
any problems... the authentication does not stop at the logon page AT
ALL. I've put breakpoints in it to be sure, plus, there's no code at
all in my Load event handler for the Logon page.

It seems to work as predicted if I try to access the app from a
workstation that I haven't tried to access from. I just tested one
more time and it worked 3 times in a row and I couldn't break it, but
on the dev server itself, it always falls right through without
stopping at all on logon.aspx and another workstation accessing the
app worked a few times and then began to fail.

I've got another app set up on the very same server where I have never
encountered that problem before. This is not the first time I've
implemented Forms Authentication.

I cannot figure out what gives here. Where should I start to look? The
web config setup was copied and pasted directly from the working app
to the app under development on the same dev server.

Any help would be very gratefully received.

Here's the relevant portions of my web.config:

<system.web>
<!-- enable Forms authentication -->
<authentication mode="Forms">
<forms name="AHDAuth" loginUrl="logon.aspx"
protection="All" path="/" />
</authentication>
<!-- enable custom errors for the application -->
<customErrors mode="Off">

</customErrors>
<sessionState mode="InProc" cookieless="false" />
<compilation defaultLanguage="vb" debug="true" />
</system.web>
<!-- set secure paths -->

<location path="Quote.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="SupplierInfoEdit.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

 

[ranganh]

Dear Steve,

In your Login page, have you enabled, persistent cookies. i.e.

FormsAuthentication.RedirectFromLoginPage("Username", true)

if you give the boolean (persistent cookie) as true, then the cookie will be stored in
the machine and it will not ask for login until you explicitly log out.

That might be causing your authentication not to work.

If that is not the case, write back.

thanks.

 

[Steve R.]

I considered that. I looked for the cookie in the cookies folder on
the affected systems and did not find it. I haven't ruled it out,
though. I did have it set to True and then changed it, but if a cookie
had already been sent to one of the systems in question, I guess
changing the code wouldn't affect a cookie that was already there,
would it? What changes how long it lasts on the client system? I've
never encountered that property.

It is always after a successful logon that it starts screwing up.
Thanks for confirming my suspicions, that really does seem like the
only reasonable explanation. In your explanation below, wouldn't the
cookie be named "Username". I'm wondering if I'm looking in the wrong
place for it.

Thanks,

Steve

 

[ranganh]

Dear Steve,

In normal cases, the cookie is stored in the system for 50 years. But I know, we can also specify the duration manually for the cookie to be stored in the system.

In your case, did you check logging out? I mean you say, first time, it successfully asks for login and once you log in, after performing all the tasks, did you implement, a mechanism for signing out? I mean, you have any log out button, which will do the FormsAuthentication.Signout() method?

This method will delete the cookie and even persistent cookies.

If even after you signout, its taking you in automatically, write back, there is some other problem then. we will solve it . dont worry

hope it helps

 

[Steve R.]

That was very helpful. Thanks! I finally deleted all the cookies on
the dev system because I couldn't find the specific one, and that
worked. Now that I've changed the persistent cookie property to FALSE,
I expect the problem is gone. Thanks for keeping me focused on the
cookie issue.

Steve