Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
PRB: Forms Authentication Requests Are Not Directed to loginUrl Page
Article ID: 313116 - View products that this article applies to.
This article was previously published under Q313116
When you use forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.
This problem occurs when more than one application on a server uses forms authentication and these configuration settings are identical:
Identical Cookie NamesForms authentication primarily works off of the authentication cookie. An authentication cookie is placed in the HttpResponse.Cookies collection once a user is authenticated. When a request comes in, forms authentication retrieves the authentication cookie from the HttpRequest.Cookies collection.
If a valid cookie is not present, the user is redirected to the page that is specified in the loginUrl attribute. If a valid cookie is present, forms authentication considers the user authenticated.
The name attribute of the <forms> element in the .config files determines the name of the authentication cookie. By default, the name of the cookie is .ASPXAUTH. Therefore, if multiple applications on the same Web server use the name "authCookie" for the authentication cookie, a request that was authenticated in one application is considered authenticated in another application because the request contains a cookie named authCookie.
Identical Cookie PathsForms authentication primarily works off of the authentication cookie. The path attribute of the <forms> element determines which application the authentication cookie can be sent to on the Web server. The default value of the path attribute is a forward slash (/) so that the cookie can be sent to every application on the Web site.
Therefore, if multiple applications on the same Web site use the forward slash for the path of the authentication cookie, when a request is sent from one application to another application, the authentication cookie is sent to the other application.
Identical KeysThe <machineKey> element controls the encryption, the decryption, and the validation of the authentication cookie. The default configuration for the element is as follows:
If multiple applications use identical, explicit values for the <machineKey> element, an authentication cookie that is sent from one application is decrypted by another application successfully.
To resolve this problem, make sure that at least one of the three configuration settings (cookie name, cookie path, and key) is different for each application that uses forms authentication.
Different Cookie NamesIf you use different cookie names for each application, you ensure that forms authentication only retrieves a cookie according to the name that is configured for that application.
Different Cookie PathsIf you use a different cookie path, you ensure that the authentication cookie is sent only to the application in which the cookie originated.
When the user is authenticated and redirected, the browser does not send the cookie with the /application1 path to the Application1 application. Essentially, the authentication cookie is not part of the HttpRequest.Cookies collection. As a result, the user is redirected to the page that is specified in the loginUrl attribute, even after authentication.
Microsoft recommends that you confine forms authentication cookies to areas of the site that are protected by Secure Sockets Layer (SSL) encryption.
Different KeysIf different applications use different, explicit values for the <machineKey> element, the encryption, the decryption, or the validation of the authentication cookie fails. As a result, the user is redirected to the page that is specified in the loginUrl attribute for the application.
NOTE: Even in identical configurations, authorization rules still apply. In the examples to follow, if User1 is authenticated in Application1 and makes a request to Application2, the request is authenticated. However, because User1 is not one of the allowed users in the <authorization> section, the request is not authorized and is denied.
Web.config in Application1
Web.config in Application2
Steps to Reproduce BehaviorConfigure two ASP.NET applications named Application1 and Application2 to use forms authentication with the following configurations:
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/308157/EN-US/ )HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
(http://support.microsoft.com/kb/306590/EN-US/ )INFO: ASP.NET Security Overview
(http://support.microsoft.com/kb/313091/EN-US/ )HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication