PRB: Forms Authentication Requests Are Not Directed to loginUrl Page

Article translations Article translations
Article ID: 313116 - View products that this article applies to.
This article was previously published under Q313116
Expand all | Collapse all

On This Page

SYMPTOMS

When you use forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.

CAUSE

This problem occurs when more than one application on a server uses forms authentication and these configuration settings are identical:
  • Cookie names
  • Cookie paths
  • Keys

Identical Cookie Names

Forms authentication primarily works off of the authentication cookie. An authentication cookie is placed in the HttpResponse.Cookies collection once a user is authenticated. When a request comes in, forms authentication retrieves the authentication cookie from the HttpRequest.Cookies collection.

If a valid cookie is not present, the user is redirected to the page that is specified in the loginUrl attribute. If a valid cookie is present, forms authentication considers the user authenticated.

The name attribute of the <forms> element in the .config files determines the name of the authentication cookie. By default, the name of the cookie is .ASPXAUTH. Therefore, if multiple applications on the same Web server use the name "authCookie" for the authentication cookie, a request that was authenticated in one application is considered authenticated in another application because the request contains a cookie named authCookie.

Identical Cookie Paths

Forms authentication primarily works off of the authentication cookie. The path attribute of the <forms> element determines which application the authentication cookie can be sent to on the Web server. The default value of the path attribute is a forward slash (/) so that the cookie can be sent to every application on the Web site.

Therefore, if multiple applications on the same Web site use the forward slash for the path of the authentication cookie, when a request is sent from one application to another application, the authentication cookie is sent to the other application.

Identical Keys

The <machineKey> element controls the encryption, the decryption, and the validation of the authentication cookie. The default configuration for the element is as follows:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
				
If multiple applications use identical, explicit values for the <machineKey> element, an authentication cookie that is sent from one application is decrypted by another application successfully.

RESOLUTION

To resolve this problem, make sure that at least one of the three configuration settings (cookie name, cookie path, and key) is different for each application that uses forms authentication.

Different Cookie Names

If you use different cookie names for each application, you ensure that forms authentication only retrieves a cookie according to the name that is configured for that application.

For example:
  1. Application1 uses the name authCookie1.
  2. Application2 uses the name authCookie2.
  3. A request is made to Application2.
  4. Forms authentication tries to retrieve authCookie2 from the HttpRequest.Cookies collection, even though the authCookie1 cookie exists.

    When forms authentication does not find an authentication cookie with the name authCookie2, the user is redirected to the page that is specified in the loginUrl attribute for Application2.

Different Cookie Paths

If you use a different cookie path, you ensure that the authentication cookie is sent only to the application in which the cookie originated.

For example:
  1. Application1 uses the path /application1.
  2. Application2 uses the path /application2.
  3. Forms authentication authenticates to Application1.
  4. A request is made to Application2. The browser does not send the authentication cookie from Application1 to Application2 because the cookie can be sent only to Application1.
NOTE: The path attribute is case sensitive. Therefore, if the you set the value of the path attribute to /application1, and if the application name is Application1, the authentication cookie path is /application1.

When the user is authenticated and redirected, the browser does not send the cookie with the /application1 path to the Application1 application. Essentially, the authentication cookie is not part of the HttpRequest.Cookies collection. As a result, the user is redirected to the page that is specified in the loginUrl attribute, even after authentication.

Microsoft recommends that you confine forms authentication cookies to areas of the site that are protected by Secure Sockets Layer (SSL) encryption.

Different Keys

If different applications use different, explicit values for the <machineKey> element, the encryption, the decryption, or the validation of the authentication cookie fails. As a result, the user is redirected to the page that is specified in the loginUrl attribute for the application.

NOTE: Even in identical configurations, authorization rules still apply. In the examples to follow, if User1 is authenticated in Application1 and makes a request to Application2, the request is authenticated. However, because User1 is not one of the allowed users in the <authorization> section, the request is not authorized and is denied.

Web.config in Application1
<configuration>
   <system.web>
      <authorization>
         <allow users="User1,User2,User3" />
         <deny users="?" />
      </authorization>
   </system.web>
</configuration>
				
Web.config in Application2
<configuration>
   <system.web>
      <authorization>
         <allow users="User4,User5,User6" />
         <deny users="?" />
      </authorization>
   </system.web>
</configuration>
				

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce Behavior

Configure two ASP.NET applications named Application1 and Application2 to use forms authentication with the following configurations:
  1. Add the following code as the Web.config file for both applications:
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
        
      <system.web>
    
       <authentication mode="Forms">
          <forms loginUrl="login.aspx" name="formsauth1" timeout="60" path="/" >
             <credentials passwordFormat="Clear">
                <user name="username" password="password"/>
             </credentials>
          </forms>
       </authentication>
    
       <authorization>	
         <deny users="?" />
         <allow users="*" />
       </authorization>
       
     </system.web>
    
    </configuration>
    					
  2. Add the following code as the Login.aspx file for both applications:
    <%@ Page language="vb" AutoEventWireup="true" %>
    	
        <form  runat=server ID="Form1">    
          <asp:Label runat="server" label="lblUserid" Text="UserID:" />
          <asp:TextBox id="txtUsername" runat=server Text="username" /><br>
          <asp:Label runat="server" label="lblPassword" Text="Password:" />
          <asp:TextBox id="txtPassword" runat=server Text="password" /><br>
          <asp:button text="Login" OnClick="Login_Click" runat=server ID="btnLogin"/><br>
          <asp:Label runat="server" id="lblStatus" />
        </form>
    	 
    <script runat=server>
    sub Login_Click(sender as Object , e as EventArgs )
    	if(FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text)) then
    		FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false)
    	else		
    		lblStatus.Text = "Not Authenticated"
    	end if	
    end sub
    </script> 
    					
  3. Add the following code as the Default.aspx file for Application1:
    <%@ Page AutoEventWireup="true" %>
    
    <asp:Label id=label1 runat="server" Text="Authenticated In Application1"></asp:Label><br>
    <asp:Label Runat=server ID="Label2" ></asp:Label>
    </Form>
    					
  4. Add the following code as the Default.aspx file for Application2:
    <%@ Page AutoEventWireup="true" %>
    
    <asp:Label id=label1 runat="server" Text="Authenticated In Application2"></asp:Label><br>
    <asp:Label Runat=server ID="Label2" ></asp:Label>
    </Form>
    					
  5. Request Default.aspx in Application1.
  6. After you are redirected to Login.aspx, log on by typing username for the user name and password for the password. Notice that you are redirected to Default.aspx in Application1.
  7. Request Default.aspx in Application2. Notice that you are not redirected to the Login.aspx page in Application2.

REFERENCES

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
308157 HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
306590 INFO: ASP.NET Security Overview
313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication

Properties

Article ID: 313116 - Last Review: February 23, 2007 - Revision: 2.8
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
Keywords: 
kbconfig kbcookie kbprb kbsecurity KB313116

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com