Microsoft KB Archive/313116

= PRB: Forms Authentication Requests Are Not Directed to loginUrl Page =

Article ID: 313116

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.1
 * Microsoft ASP.NET 1.0

-



This article was previously published under Q313116



SYMPTOMS
When you use forms authentication, requests are not redirected to the page that is specified in the loginUrl attribute.



CAUSE
This problem occurs when more than one application on a server uses forms authentication and these configuration settings are identical:
 * Cookie names
 * Cookie paths
 * Keys

Identical Cookie Names
Forms authentication primarily works off of the authentication cookie. An authentication cookie is placed in the HttpResponse.Cookies collection once a user is authenticated. When a request comes in, forms authentication retrieves the authentication cookie from the HttpRequest.Cookies collection.

If a valid cookie is not present, the user is redirected to the page that is specified in the loginUrl attribute. If a valid cookie is present, forms authentication considers the user authenticated.

The name attribute of the   element in the .config files determines the name of the authentication cookie. By default, the name of the cookie is .ASPXAUTH. Therefore, if multiple applications on the same Web server use the name &quot;authCookie&quot; for the authentication cookie, a request that was authenticated in one application is considered authenticated in another application because the request contains a cookie named authCookie.

Identical Cookie Paths
Forms authentication primarily works off of the authentication cookie. The path attribute of the   element determines which application the authentication cookie can be sent to on the Web server. The default value of the path attribute is a forward slash (/) so that the cookie can be sent to every application on the Web site.

Therefore, if multiple applications on the same Web site use the forward slash for the path of the authentication cookie, when a request is sent from one application to another application, the authentication cookie is sent to the other application.

Identical Keys
The  element controls the encryption, the decryption, and the validation of the authentication cookie. The default configuration for the element is as follows:  If multiple applications use identical, explicit values for the  element, an authentication cookie that is sent from one application is decrypted by another application successfully.



RESOLUTION
To resolve this problem, make sure that at least one of the three configuration settings (cookie name, cookie path, and key) is different for each application that uses forms authentication.

Different Cookie Names
If you use different cookie names for each application, you ensure that forms authentication only retrieves a cookie according to the name that is configured for that application.

For example:
 * 1) Application1 uses the name authCookie1.
 * 2) Application2 uses the name authCookie2.
 * 3) A request is made to Application2.
 * 4) Forms authentication tries to retrieve authCookie2 from the HttpRequest.Cookies collection, even though the authCookie1 cookie exists.

When forms authentication does not find an authentication cookie with the name authCookie2, the user is redirected to the page that is specified in the loginUrl attribute for Application2.

Different Cookie Paths
If you use a different cookie path, you ensure that the authentication cookie is sent only to the application in which the cookie originated.

For example:
 * 1) Application1 uses the path /application1.
 * 2) Application2 uses the path /application2.
 * 3) Forms authentication authenticates to Application1.
 * 4) A request is made to Application2. The browser does not send the authentication cookie from Application1 to Application2 because the cookie can be sent only to Application1.

NOTE: The path attribute is case sensitive. Therefore, if the you set the value of the path attribute to /application1, and if the application name is Application1, the authentication cookie path is /application1.

When the user is authenticated and redirected, the browser does not send the cookie with the /application1 path to the Application1 application. Essentially, the authentication cookie is not part of the HttpRequest.Cookies collection. As a result, the user is redirected to the page that is specified in the loginUrl attribute, even after authentication.

Microsoft recommends that you confine forms authentication cookies to areas of the site that are protected by Secure Sockets Layer (SSL) encryption.

Different Keys
If different applications use different, explicit values for the  element, the encryption, the decryption, or the validation of the authentication cookie fails. As a result, the user is redirected to the page that is specified in the loginUrl attribute for the application.

NOTE: Even in identical configurations, authorization rules still apply. In the examples to follow, if User1 is authenticated in Application1 and makes a request to Application2, the request is authenticated. However, because User1 is not one of the allowed users in the section, the request is not authorized and is denied.

Web.config in Application1     Web.config in Application2    

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

Steps to Reproduce Behavior
Configure two ASP.NET applications named Application1 and Application2 to use forms authentication with the following configurations: <ol> <li> Add the following code as the Web.config file for both applications: <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?> 

<authentication mode=&quot;Forms&quot;> <forms loginUrl=&quot;login.aspx&quot; name=&quot;formsauth1&quot; timeout=&quot;60&quot; path=&quot;/&quot; > <credentials passwordFormat=&quot;Clear&quot;> <user name=&quot;username&quot; password=&quot;password&quot;/>

<deny users=&quot;?&quot; /> <allow users=&quot;*&quot; /> </system.web>

</li> <li> Add the following code as the Login.aspx file for both applications: <%@ Page language=&quot;vb&quot; AutoEventWireup=&quot;true&quot; %> <form runat=server ID=&quot;Form1&quot;> <asp:Label runat=&quot;server&quot; label=&quot;lblUserid&quot; Text=&quot;UserID:&quot; /> <asp:TextBox id=&quot;txtUsername&quot; runat=server Text=&quot;username&quot; /> <asp:Label runat=&quot;server&quot; label=&quot;lblPassword&quot; Text=&quot;Password:&quot; /> <asp:TextBox id=&quot;txtPassword&quot; runat=server Text=&quot;password&quot; /> <asp:button text=&quot;Login&quot; OnClick=&quot;Login_Click&quot; runat=server ID=&quot;btnLogin&quot;/> <asp:Label runat=&quot;server&quot; id=&quot;lblStatus&quot; /> sub Login_Click(sender as Object, e as EventArgs ) if(FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text)) then FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false) else lblStatus.Text = &quot;Not Authenticated&quot; end if end sub </li> <li> Add the following code as the Default.aspx file for Application1: <%@ Page AutoEventWireup=&quot;true&quot; %>

<asp:Label id=label1 runat=&quot;server&quot; Text=&quot;Authenticated In Application1&quot;></asp:Label> <asp:Label Runat=server ID=&quot;Label2&quot; ></asp:Label> </Form> </li> <li> Add the following code as the Default.aspx file for Application2: <%@ Page AutoEventWireup=&quot;true&quot; %>

<asp:Label id=label1 runat=&quot;server&quot; Text=&quot;Authenticated In Application2&quot;></asp:Label> <asp:Label Runat=server ID=&quot;Label2&quot; ></asp:Label> </Form> </li> <li>Request Default.aspx in Application1.</li> <li>After you are redirected to Login.aspx, log on by typing username for the user name and password for the password. Notice that you are redirected to Default.aspx in Application1.</li> <li>Request Default.aspx in Application2. Notice that you are not redirected to the Login.aspx page in Application2.</li></ol>

<div class="references_section">